From c60b23f2983282397997e0bfd5b1e9568aeea8a9 Mon Sep 17 00:00:00 2001 From: James Munnelly Date: Fri, 2 Feb 2024 16:57:16 +0000 Subject: [PATCH] use authentication.kubernetes.io/issued-credential-id audit annotation in serviceaccount token registry endpoint Kubernetes-commit: 7f12735fffdc490eae59e98d0f03638067b028de --- pkg/authentication/serviceaccount/util.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/authentication/serviceaccount/util.go b/pkg/authentication/serviceaccount/util.go index c55fe5d2e..3e29d4e71 100644 --- a/pkg/authentication/serviceaccount/util.go +++ b/pkg/authentication/serviceaccount/util.go @@ -39,6 +39,12 @@ const ( // CredentialIDKey is the key used in a user's "extra" to specify the unique // identifier for this identity document). CredentialIDKey = "authentication.kubernetes.io/credential-id" + // IssuedCredentialIDAuditAnnotationKey is the annotation key used in the audit event that is persisted to the + // '/token' endpoint for service accounts. + // This annotation indicates the generated credential identifier for the service account token being issued. + // This is useful when tracing back the origin of tokens that have gone on to make request that have persisted + // their credential-identifier into the audit log via the user's extra info stored on subsequent audit events. + IssuedCredentialIDAuditAnnotationKey = "authentication.kubernetes.io/issued-credential-id" // PodNameKey is the key used in a user's "extra" to specify the pod name of // the authenticating request. PodNameKey = "authentication.kubernetes.io/pod-name"