Skip to content

[v17] Add support for Kubernetes OIDC joining #57800

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Aug 22, 2025
Merged

[v17] Add support for Kubernetes OIDC joining #57800

merged 5 commits into from
Aug 22, 2025

Conversation

@timothyb89
Copy link
Contributor

@timothyb89 timothyb89 commented Aug 12, 2025
edited
Loading

⚠️ This is an unclean backport and should be reviewed as a standalone PR ⚠️

This PR adds Kubernetes OIDC joining to v17, as originally added in #57538. However, as we've since switched OIDC libraries in v18, the change could not be cleanly backported: this depends on #54939, but in addition to being a poor backport candidate, depends on a new version of zitadel/oidc/v3 that I'm wary of updating in v17 unnecessarily.

Instead, I've ended up directly including some of the zitadel/oidc related functions that this particular join method needs, and left some notes to indicate that, should #54939 be backported in full, we should remove the duplicated functionality.

changelog: Add new oidc joining mode for Kubernetes delegated joining to support providers that can be configured to provide public OIDC endpoints, like EKS, AKS, and GKE.

To use, you'll need a Kubernetes cluster that issues OIDC tokens from an issuer with a public OpenID-compatible endpoint, like Amazon EKS. To check and resolve the right issuer value, run this command:

$ curl $(kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer')/.well-known/openid-configuration | jq -r '.issuer'
https://oidc.eks.us-west-2.amazonaws.com/id/my-cluster

This attempts to resolve the issuer from your local machine; providers like EKS will return an OIDC config pointing to internal URLs when used on an internal network. If your provider's OIDC endpoint isn't available, the curl call will fail, in which case this method won't work.

Once you've determined the issuer, create a join token:

kind: token
metadata:
  name: kubernetes-oidc-example
spec:
  bot_name: kubernetes-oidc-example
  join_method: kubernetes
  kubernetes:
    allow:
    - service_account: default:example
    oidc:
      issuer: https://oidc.eks.us-west-2.amazonaws.com/id/my-cluster
    type: oidc
  roles:
  - Bot
version: v2

You'll need to configure your Kubernetes pod to project a token with the Teleport cluster name as the configured audience, in this case we'll assume example.teleport.sh.

To project an additional token, add this to your pod spec:

spec:
  containers:
  - name: example
    # ...
    volumeMounts:
    - mountPath: /var/run/secrets/teleport-token
      name: teleport-token
  volumes:
  - name: teleport-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: example.teleport.sh
          expirationSeconds: 600
          path: token

When joining a client (Teleport agent, tbot, etc) make sure KUBERNETES_TOKEN_PATH is set to the token in the projected mount path, e.g. /var/run/secrets/teleport-token/token.

@timothyb89
[v18] Add new oidc subtype for Kubernetes joining (#57538) (#57683)
cdd6e16 
* MWI: Add `oidc` subtype for Kubernetes joining

This adds a new `oidc` subtype for Kubernetes joining, which allows
workloads to join using a Kubernetes service account token (JWT)
as usual, but verifies it using an OIDC flow rather than a static JWKS
keyset. This should better support platforms like EKS where the JWKS
keyset is rotated regularly.

* Validate OIDC subtype properly

* Initialize OIDC validator at startup

* Fix OIDC claims implementation

* Force use of cluster name as audience

* Remove authorized party workaround

* Reintroduce kubernetes claims check

* Remove unused constant

* Update generated operator resources

* Update generated TF docs

* Add validator tests

* Improve proto docs, enforce HTTP issuers, and add insecure override

* Update autogenerated docs
@timothyb89
Partially backport OIDC changes to fix build, include #57789
d1a338b 
This partially backports various dependencies of the original change.
Note that this is not a clean backport, and minor code and
organizational changes were made to facilitate this backport,
including copying some OIDC code directly into the token validator.

Additionally, caching support from #57789 was integrated directly. It
inherently depends on the same OIDC code that required modification,
so it has been pulled in directly.
@github-actions
Copy link

github-actions bot commented Aug 12, 2025
edited
Loading

Amplify deployment status

Branch Commit Job ID Status Preview Updated (UTC)
timothyb89/v17/kubernetes-oidc-joining 247e271 4 ✅SUCCEED timothyb89-v17-kubernetes-oidc-joining 2025-08-22 01:15:35

@timothyb89
Remove caching support from the backport
8337539 
I've abandoned the caching approach in #57789, so this PR will proceed
without caching, as in branch/v18.
@timothyb89 timothyb89 marked this pull request as ready for review August 15, 2025 02:33
@github-actions github-actions bot requested review from ptgott and strideynet August 15, 2025 02:34
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from ptgott August 18, 2025 16:09
@timothyb89 timothyb89 added this pull request to the merge queue Aug 22, 2025
Merged via the queue into branch/v17 with commit d109826 Aug 22, 2025
43 checks passed
@timothyb89 timothyb89 deleted the timothyb89/v17/kubernetes-oidc-joining branch August 22, 2025 02:25
@fheinecke fheinecke mentioned this pull request Sep 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

@strideynet strideynet strideynet approved these changes

@russjones russjones Awaiting requested review from russjones russjones is a code owner

@zmb3 zmb3 Awaiting requested review from zmb3 zmb3 is a code owner

@rosstimothy rosstimothy Awaiting requested review from rosstimothy rosstimothy is a code owner

Assignees

No one assigned

Labels

backport documentation helm kubernetes-access size/lg

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@timothyb89 @r0mant @strideynet