☂️ [GEP-26] Workload Identity - Trust Based Authentication #9586

The current proposal allows changing credentialsBinding.CredentialsRef which is convenient but can also cause unwanted behavior. Let's imagine the following scenario. A user has access to a CredentialsBinding that references a Secret that is controlled by another organisation and is in another namespace. The user can reference this Secret for the purpose of creating a trial cluster. Now once the user has finished experimenting they can create their own Secret and point the existing CredentialsBinding to it. This will lead to a change in the provider accounts and the resources created in the trial account will be considered orphaned. We want to avoid that.

Proposal

I propose that we make credentialsBinding.CredentialsRef immutable and shoot.CredentialsBindingName mutable (but on condition). Migration from shoot.SecretBindingName to shoot.CredentialsBindingName will only be possible if the SecretBinding and the CredentialsBinding both reference exactly the same Secret and Quotas. We will allow changing the shoot.CredentialsBindingName when the user making the request has read permissions for both "old" and "new" credential. This will ensure that users that have access to a CredentialsBinding referencing a credential in another namespace cannot suddenly reference their own credential and leak the already created resources in another account. This check will only be made when a Shoot is updated, but not during creation.

gardener-prow bot added area/security Security related kind/enhancement Enhancement, improvement, extension labels Apr 15, 2024

gardener-prow bot assigned vpnachev Apr 15, 2024

JordanJordanov added the area/ipcei IPCEI (Important Project of Common European Interest) label Apr 16, 2024

vpnachev mentioned this issue Apr 19, 2024

[GEP-26] Add CredentialsBinding API #9626

Merged

vpnachev mentioned this issue May 10, 2024

[GEP-26] Move CredentialsBinding to security.gardener.cloud group #9734

Merged

gardener-prow bot added the kind/epic Large multi-story topic label May 14, 2024

vpnachev mentioned this issue May 16, 2024

[GEP-26] Add WorkloadIdentity API #9780

Merged

dimityrmirchev mentioned this issue May 17, 2024

[GEP-26] Remove unused packages #9784

Merged

JordanJordanov added the ipcei/workload-identity Epic for Gardener Workload Identity scenarios label May 21, 2024

vpnachev mentioned this issue May 21, 2024

[GEP-26] Add TokenRequest API and workloadidentities/token subresource #9813

Merged

dimityrmirchev mentioned this issue May 27, 2024

[GEP-26] Allow replacing SecretBindingName with CredentialsBindingName in Shoot spec (Part 1) #9853

Merged

dimityrmirchev mentioned this issue Jun 24, 2024

[GEP-26] Allow replacing SecretBindingName with CredentialsBindingName in Shoot spec (Part 2) #10020

Merged

vpnachev mentioned this issue Jun 27, 2024

[GEP26] Issue Signed JSON Web Tokens on WorkloadIdentity /token subresource #10042

Merged

dimityrmirchev mentioned this issue Jul 23, 2024

Handle conflicting label & finalizer when deleting CredentialsBinding or SecretBinding #10172

Merged

dimityrmirchev mentioned this issue Jul 31, 2024

[GEP-26] Cloudprovider secret can contain workload identity data #10239

Merged

JordanJordanov assigned dimityrmirchev Aug 5, 2024

dimityrmirchev mentioned this issue Aug 9, 2024

[GEP-26] Controller requesting tokens for Workload Identities #10298

Merged

vpnachev mentioned this issue Aug 12, 2024

[GEP-26] Add Support for Workload Identity Signing Key Rotation #10313

Merged

This was referenced Aug 14, 2024

[GEP-26] ReferenceCleaner reconciler as part of the CredentialsBinding controller #10327

Closed

[GEP-26] Allow quota scope to reference WorkloadIdentity #10346

Merged

[GEP-26] Add CredentialsBinding controller documentation #10347

Merged

vpnachev mentioned this issue Aug 16, 2024

[GEP-26] Cleanup temporary test secret #10348

Merged

dimityrmirchev mentioned this issue Aug 21, 2024

[GEP-26] CredentialsBinding.CredentialsRef is now immutable #10365

Merged

vpnachev mentioned this issue Aug 21, 2024

[GEP-26] Fix cloudprovider secret deplo 8000 yment to not renew WorkloadIdentity token on shoot reconciliation #10371

Closed

dimityrmirchev mentioned this issue Aug 23, 2024

[GEP-26] Fix cloudprovider secret deployment to not renew WorkloadIdentity token on shoot reconciliation #10383

Merged

dimityrmirchev mentioned this issue Sep 4, 2024

[GEP-26] CredentialsBinding validation via admission webhook gardener/gardener-extension-provider-aws#1047

Merged

This was referenced Oct 22, 2024

[GEP-26] Add support for credentials binding gardener/gardenctl-v2#464

Merged

Handle shoots using a Credentials Binding to reference cloud credentials gardener/dashboard#2147

Closed

This was referenced Nov 13, 2024

Migrate to aws-sdk-go v2 gardener/machine-controller-manager-provider-aws#176

Open

Migrate to aws-sdk-go v2 gardener/aws-custom-route-controller#46

Closed

vpnachev mentioned this issue Jan 14, 2025

[GEP-26] Add issuer field to workloadIdentity.status #11168

Closed

vpnachev mentioned this issue Jan 26, 2025

[GEP-26] Publish workload identity issuer URL in world readable configmap #11238

Merged

etiennnr mentioned this issue Feb 19, 2025

Add support for CredentialsBindings gardener/gardenctl-v2#521

Closed

dimityrmirchev mentioned this issue Feb 21, 2025

[GEP-26] Service Account impersonation via federated identities gardener/gardener-extension-provider-gcp#973

Merged

vpnachev mentioned this issue Mar 4, 2025

[GEP-26] Use WorkloadIdentity for ETCD backup - part 1 #11583

Merged

dimityrmirchev mentioned this issue Apr 8, 2025

[GEP-26] Overwrite existing cloud provider secret data when using workload identity config #11832

Merged

dimityrmirchev mentioned this issue Apr 28, 2025

[GEP-26] Require seed backup credential to exist if referenced through the seed spec #11950

Closed

vpnachev mentioned this issue Apr 28, 2025

[gardenet] Sync seed backup credentials on start-up #11959

Merged

dimityrmirchev mentioned this issue Apr 29, 2025

[GEP-26] Stale project controller considers workload identities #11962

Merged

This was referenced May 5, 2025

Migrate AWS SDK to v2 gardener/etcd-backup-restore#874

Merged

[GEP-26] Use WorkloadIdentity for ETCD backup - part 2 #12032

Merged

This was referenced May 14, 2025

[GEP-26] Do not default seed.spec.backup.secretRef/credentialsRef #12087

Merged

[GEP-26] Mention provider specific workload identity docs #12099

Merged

This was referenced May 22, 2025

[GEP-26] Do not try to copy infra creds for backup if workload identity is used #11983

Merged

[GEP-26] DoNotCopyBackupCredentials feature gate #12168

Open

[GEP-26] Improve workload identity documentation gardener/gardener-extension-provider-azure#1155

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

☂️ [GEP-26] Workload Identity - Trust Based Authentication #9586

☂️ [GEP-26] Workload Identity - Trust Based Authentication #9586

Uh oh!

Uh oh!

Uh oh!

☂️ [GEP-26] Workload Identity - Trust Based Authentication #9586

☂️ [GEP-26] Workload Identity - Trust Based Authentication #9586

Comments

Uh oh!

Tasks

API Server

Admission Controller

Controller Manager

Gardenlet

Operator

Discovery Server

Extensions

AWS

Azure

GCP

Alicloud

Enablement

Development Setup

Gardenctl

Dashboard

Uh oh!

Uh oh!

Uh oh!

Current state

Proposal

Uh oh!