kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #123098 from munnerz/4193-jti-audit-changes 

use authentication.kubernetes.io/issued-credential-id audit annotation in serviceaccount token registry endpoint

Kubernetes-commit: 8c6e940a970e3a910b02442c001735619a8c7ba4
This commit is contained in:
Kubernetes Publisher 2024-02-05 08:45:43 -08:00
parent 7b91578b43 c60b23f298
commit 8340bec347
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/authentication/serviceaccount/util.go
View File

@ -39,6 +39,12 @@ const (
// CredentialIDKey is the key used in a user's "extra" to specify the unique // CredentialIDKey is the key used in a user's "extra" to specify the unique
// identifier for this identity document). // identifier for this identity document).
CredentialIDKey = "authentication.kubernetes.io/credential-id" CredentialIDKey = "authentication.kubernetes.io/credential-id"
// IssuedCredentialIDAuditAnnotationKey is the annotation key used in the audit event that is persisted to the
// '/token' endpoint for service accounts.
// This annotation indicates the generated credential identifier for the service account token being issued.
// This is useful when tracing back the origin of tokens that have gone on to make request that have persisted
// their credential-identifier into the audit log via the user's extra info stored on subsequent audit events.
IssuedCredentialIDAuditAnnotationKey = "authentication.kubernetes.io/issued-credential-id"
// PodNameKey is the key used in a user's "extra" to specify the pod name of // PodNameKey is the key used in a user's "extra" to specify the pod name of
// the authenticating request. // the authenticating request.
PodNameKey = "authentication.kubernetes.io/pod-name" PodNameKey = "authentication.kubernetes.io/pod-name"