kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

use authentication.kubernetes.io/issued-credential-id audit annotation in serviceaccount token registry endpoint 

Kubernetes-commit: 7f12735fffdc490eae59e98d0f03638067b028de
This commit is contained in:
James Munnelly 2024-02-02 16:57:16 +00:00 committed by Kubernetes Publisher
parent 7b91578b43
commit c60b23f298
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/authentication/serviceaccount/util.go
View File

@ -39,6 +39,12 @@ const (
// CredentialIDKey is the key used in a user's "extra" to specify the unique // CredentialIDKey is the key used in a user's "extra" to specify the unique
// identifier for this identity document). // identifier for this identity document).
CredentialIDKey = "authentication.kubernetes.io/credential-id" CredentialIDKey = "authentication.kubernetes.io/credential-id"
// IssuedCredentialIDAuditAnnotationKey is the annotation key used in the audit event that is persisted to the
// '/token' endpoint for service accounts.
// This annotation indicates the generated credential identifier for the service account token being issued.
// This is useful when tracing back the origin of tokens that have gone on to make request that have persisted
// their credential-identifier into the audit log via the user's extra info stored on subsequent audit events.
IssuedCredentialIDAuditAnnotationKey = "authentication.kubernetes.io/issued-credential-id"
// PodNameKey is the key used in a user's "extra" to specify the pod name of // PodNameKey is the key used in a user's "extra" to specify the pod name of
// the authenticating request. // the authenticating request.
PodNameKey = "authentication.kubernetes.io/pod-name" PodNameKey = "authentication.kubernetes.io/pod-name"