Repositories
v1v

kubernetes/authentication-resources

v1
Published by: Kubernetes1Updated

Kubernetes v1 authentication resources provide mechanisms for verifying identities within the cluster. These include ServiceAccounts, TokenRequests, TokenReviews, and CertificateSigningRequests, forming a robust system for secure access control in Kubernetes clusters.

v1
|

Authentication

Add API authentication details

HEADERS
X-APIKEY
string
Send X-APIKEY in Header

Readme

User instructions for this resource

The TokenRequest template is designed to create a request for a service account token in Kubernetes. It uses a combination of facets and variables to allow for flexible configurations.

Variables

  • __TR_ID__: This global variable represents the identifier for the TokenRequest, used to access specific fields in the request values.

Collection Breakdown

  1. Base
{
    "kind": "TokenRequest",
    "facets": ["master"],
    "metadata": {
        "name": "{{ __TR_ID__.metadata.name }}",
        "namespace": "{{ __TR_ID__.metadata.namespace }}"
    },
    "apiVersion": "authentication.k8s.io/v1"
}

This section is always included (due to the master facet). It sets the kind, apiVersion, and metadata for the TokenRequest resource.

  1. Audiences
{
    "spec": {
        "audiences": "{{ __TR_ID__.spec.audiences }}"
    },
    "facets": ["addon:spec"]
}

This section specifies the intended audiences of the token. It's part of the core spec and is included when the addon:spec facet is used.

  1. Expiration
{
    "spec": {
        "expirationSeconds": "{{ __TR_ID__.spec.expirationSeconds }}"
    },
    "facets": ["addon:spec", "addon:expiration"]
}

This optional section allows specification of the token's expiration time.

  1. Bound Object
{
    "spec": {
        "boundObjectRef": {
            "kind": "{{ __TR_ID__.spec.boundObjectRef.kind }}",
            "apiVersion": "{{ __TR_ID__.spec.boundObjectRef.apiVersion }}",
            "name": "{{ __TR_ID__.spec.boundObjectRef.name }}",
            "uid": "{{ __TR_ID__.spec.boundObjectRef.uid }}"
        }
    },
    "facets": ["addon:spec", "addon:boundobjectref"]
}

This optional section allows the token to be bound to a specific object.

Design Decisions

  1. Modularity: The template is divided into multiple sections with separate facets, allowing users to include only the necessary parts of a TokenRequest definition.

  2. Flexibility: The use of facets allows for optional inclusion of various TokenRequest features, making the template suitable for both simple and complex token request configurations.

  3. Namespace Awareness: The template includes the namespace in the metadata, ensuring that TokenRequests can be created in specific namespaces.

  4. Security Features: The template includes options for specifying audiences and expiration, which are important security considerations for token requests.

  5. Object Binding: The template allows for binding the token to a specific object, which can be useful for more granular access control.

Examples

Check Request Body tab section to play around with interactive examples.

Install(Example)

The Curl tab in the request section below provides the curl command for your resource.

curl -X POST "https://configfacets.com/apis/repos/kubernetes/authentication-resources/v1/resources/collections/tokenrequest/exec?format=json" -d '{"facets":["master","addon:spec"],"values":{"basic_tr":{"spec":{"audiences":["https://kubernetes.default.svc"]},"metadata":{"name":"example-token-request","namespace":"default"}}},"globalvars":{"__TR_ID__":"basic_tr"}}' | kubectl apply -f -

Collection API

POST/apis/repos/kubernetes/authentication-resources/v1/resources/collections/tokenrequest/exec
REQUEST
QUERY-STRING PARAMETERS
format
string
No sources available.
API Server https://configfacets.com
API Key
Not set
RESPONSES
No content available.