Documentation
¶
Overview ¶
Package k8sjwt provides a JWT verifier tailored to Kubernetes.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type KeyAndID ¶
KeyAndID wraps a crypto.PublicKey along with the key ID that will identify it during the verification process.
Use GKEKeyIDForLocallyStoredKey and GKEKeyIDForCloudKMSKey to get the correct key ID the way we calculate it in GKE.
type KubernetesClaims ¶
type KubernetesClaims struct {
// Claims from RFC7519
Issuer string
Subject string
Audiences []string
Expiration time.Time
NotBefore time.Time
IssuedAt time.Time
JTI string
Namespace string
ServiceAccountName string
ServiceAccountUID string
PodName string
PodUID string
SecretName string
SecretUID string
NodeName string
NodeUID string
WarnAfter time.Time
}
KubernetesClaims covers the claims that can be extracted from a newer Kubernetes bound service account JWT.
func Verify ¶
func Verify(ctx context.Context, jwt string, expectedIssuer, expectedAudience string, now time.Time) (*KubernetesClaims, error)
Verify verifies and extracts claims from a Kubernetes JWT.
For bound service account tokens, this function performs cryptographic verification of the JWT, checks the issuer and audience claims, and checks the time-binding claims. It *does not* check the object binding claims. If needed for your use case, you will need check the object bindings by connecting to the cluster and seeing if the object(s) the bindings name still exist within the cluster.
Source Files