mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-05 13:07:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add claimValidationRules, userValidationRules, and claims.extra to JWTAuthenticator CRD

Browse Source
This commit is contained in:
Ryan Richard
2025-07-15 14:38:54 -07:00
parent fdfe2a3c9f
commit 2a83d00373
65 changed files with 5486 additions and 487 deletions
Download Patch File Download Diff File Expand all files Collapse all files

145
generated/1.29/README.adoc generated
View File

@@ -60,6 +60,79 @@ certificate bundle. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-claimvalidationrule"]
==== ClaimValidationRule
ClaimValidationRule provides the configuration for a single claim validation rule.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-jwtauthenticatorspec[$$JWTAuthenticatorSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`claim`* __string__ | claim is the name of a required claim. +
Same as --oidc-required-claim flag. +
Only string claim keys are supported. +
Mutually exclusive with expression and message. +
| *`requiredValue`* __string__ | requiredValue is the value of a required claim. +
Same as --oidc-required-claim flag. +
Only string claim values are supported. +
If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string. +
Mutually exclusive with expression and message. +
| *`expression`* __string__ | expression represents the expression which will be evaluated by CEL. +
Must produce a boolean. +
CEL expressions have access to the contents of the token claims, organized into CEL variable: +
- 'claims' is a map of claim names to claim values. +
For example, a variable named 'sub' can be accessed as 'claims.sub'. +
Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. +
Must return true for the validation to pass. +
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ +
Mutually exclusive with claim and requiredValue. +
| *`message`* __string__ | message customizes the returned error message when expression returns false. +
message is a literal string. +
Mutually exclusive with claim and requiredValue. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-extramapping"]
==== ExtraMapping
ExtraMapping provides the configuration for a single extra mapping.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-jwttokenclaims[$$JWTTokenClaims$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`key`* __string__ | key is a string to use as the extra attribute key. +
key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid +
subdomain as defined by RFC 1123. All characters trailing the first "/" must +
be valid HTTP Path characters as defined by RFC 3986. +
key must be lowercase. +
Required to be unique. +
| *`valueExpression`* __string__ | valueExpression is a CEL expression to extract extra attribute value. +
valueExpression must produce a string or string array value. +
"", [], and null values are treated as the extra mapping not being present. +
Empty string values contained within a string array are filtered out. +
CEL expressions have access to the contents of the token claims, organized into CEL variable: +
- 'claims' is a map of claim names to claim values. +
For example, a variable named 'sub' can be accessed as 'claims.sub'. +
Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. +
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
==== JWTAuthenticator
@@ -78,8 +151,8 @@ signature, existence of claims, etc.) and extract the username and groups from t
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-jwtauthenticatorspec[$$JWTAuthenticatorSpec$$]__ | Spec for configuring the authenticator. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-jwtauthenticatorstatus[$$JWTAuthenticatorStatus$$]__ | Status of the authenticator. +
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-jwtauthenticatorspec[$$JWTAuthenticatorSpec$$]__ | spec for configuring the authenticator. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-jwtauthenticatorstatus[$$JWTAuthenticatorStatus$$]__ | status of the authenticator. +
|===
@@ -100,7 +173,7 @@ signature, existence of claims, etc.) and extract the username and groups from t
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-jwtauthenticatorspec"]
==== JWTAuthenticatorSpec
Spec for configuring a JWT authenticator.
JWTAuthenticatorSpec is the spec for configuring a JWT authenticator.
.Appears In:
****
@@ -110,19 +183,32 @@ Spec for configuring a JWT authenticator.
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is +
| *`issuer`* __string__ | issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is +
also used to validate the "iss" JWT claim. +
| *`audience`* __string__ | Audience is the required value of the "aud" JWT claim. +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-jwttokenclaims[$$JWTTokenClaims$$]__ | Claims allows customization of the claims that will be mapped to user identity +
| *`audience`* __string__ | audience is the required value of the "aud" JWT claim. +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-jwttokenclaims[$$JWTTokenClaims$$]__ | claims allows customization of the claims that will be mapped to user identity +
for Kubernetes access. +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider. +
| *`claimValidationRules`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-claimvalidationrule[$$ClaimValidationRule$$] array__ | claimValidationRules are rules that are applied to validate token claims to authenticate users. +
This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in +
https://kubernetes.io/docs/reference/access-authn-authz/authentication. +
This is an advanced configuration option. During an end-user login flow, mistakes in this +
configuration will cause the user's login to fail. +
| *`userValidationRules`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-uservalidationrule[$$UserValidationRule$$] array__ | userValidationRules are rules that are applied to final user before completing authentication. +
These allow invariants to be applied to incoming identities such as preventing the +
use of the system: prefix that is commonly used by Kubernetes components. +
The validation rules are logically ANDed together and must all return true for the validation to pass. +
This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in +
https://kubernetes.io/docs/reference/access-authn-authz/authentication. +
This is an advanced configuration option. During an end-user login flow, mistakes in this +
configuration will cause the user's login to fail. +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | tls is the configuration for communicating with the OIDC provider via TLS. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-jwtauthenticatorstatus"]
==== JWTAuthenticatorStatus
Status of a JWT authenticator.
JWTAuthenticatorStatus is the status of a JWT authenticator.
.Appears In:
****
@@ -151,10 +237,22 @@ for Kubernetes access.
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`groups`* __string__ | Groups is the name of the claim which should be read to extract the user's +
| *`groups`* __string__ | groups is the name of the claim which should be read to extract the user's +
group membership from the JWT token. When not specified, it will default to "groups". +
| *`username`* __string__ | Username is the name of the claim which should be read to extract the +
| *`username`* __string__ | username is the name of the claim which should be read to extract the +
username from the JWT token. When not specified, it will default to "username". +
| *`extra`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-extramapping[$$ExtraMapping$$] array__ | extra is similar to claimMappings.extra from Kubernetes AuthenticationConfiguration as documented in +
https://kubernetes.io/docs/reference/access-authn-authz/authentication. However, note that the +
Pinniped Concierge issues client certificates to users for the purpose of authenticating, and +
the Kubernetes API server does not have any mechanism for transmitting auth extras via client +
certificates. When configured, these extras will appear in client certificates issued by the +
Pinniped Supervisor in the x509 Subject field as Organizational Units (OU). However, when this +
client certificate is presented to Kubernetes for authentication, Kubernetes will ignore these +
extras. This is probably only useful if you are using a custom authenticating proxy in front +
of your Kubernetes API server which can translate these OUs into auth extras, as described by +
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authenticating-proxy. +
This is an advanced configuration option. During an end-user login flow, each of these CEL expressions +
must evaluate to either a string or an array of strings, or else the user's login will fail. +
|===
@@ -178,6 +276,33 @@ Any changes to the CA bundle in the secret or configmap will be dynamically relo
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-uservalidationrule"]
==== UserValidationRule
UserValidationRule provides the configuration for a single user info validation rule.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-jwtauthenticatorspec[$$JWTAuthenticatorSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`expression`* __string__ | expression represents the expression which will be evaluated by CEL. +
Must return true for the validation to pass. +
CEL expressions have access to the contents of UserInfo, organized into CEL variable: +
- 'user' - authentication.k8s.io/v1, Kind=UserInfo object +
Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition. +
API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io +
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ +
| *`message`* __string__ | message customizes the returned error message when rule returns false. +
message is a literal string. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-webhookauthenticator"]
==== WebhookAuthenticator

144
generated/1.29/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go generated
View File

@@ -18,7 +18,7 @@ const (
JWTAuthenticatorPhaseError JWTAuthenticatorPhase = "Error"
)
// Status of a JWT authenticator.
// JWTAuthenticatorStatus is the status of a JWT authenticator.
type JWTAuthenticatorStatus struct {
// Represents the observations of the authenticator's current state.
// +patchMergeKey=type
@@ -26,46 +26,168 @@ type JWTAuthenticatorStatus struct {
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Phase summarizes the overall status of the JWTAuthenticator.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase JWTAuthenticatorPhase `json:"phase,omitempty"`
}
// Spec for configuring a JWT authenticator.
// JWTAuthenticatorSpec is the spec for configuring a JWT authenticator.
type JWTAuthenticatorSpec struct {
// Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
// issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
// also used to validate the "iss" JWT claim.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^https://`
Issuer string `json:"issuer"`
// Audience is the required value of the "aud" JWT claim.
// audience is the required value of the "aud" JWT claim.
// +kubebuilder:validation:MinLength=1
Audience string `json:"audience"`
// Claims allows customization of the claims that will be mapped to user identity
// claims allows customization of the claims that will be mapped to user identity
// for Kubernetes access.
// +optional
Claims JWTTokenClaims `json:"claims"`
// TLS configuration for communicating with the OIDC provider.
// claimValidationRules are rules that are applied to validate token claims to authenticate users.
// This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in
// https://kubernetes.io/docs/reference/access-authn-authz/authentication.
// This is an advanced configuration option. During an end-user login flow, mistakes in this
// configuration will cause the user's login to fail.
// +optional
ClaimValidationRules []ClaimValidationRule `json:"claimValidationRules,omitempty"`
// userValidationRules are rules that are applied to final user before completing authentication.
// These allow invariants to be applied to incoming identities such as preventing the
// use of the system: prefix that is commonly used by Kubernetes components.
// The validation rules are logically ANDed together and must all return true for the validation to pass.
// This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in
// https://kubernetes.io/docs/reference/access-authn-authz/authentication.
// This is an advanced configuration option. During an end-user login flow, mistakes in this
// configuration will cause the user's login to fail.
// +optional
UserValidationRules []UserValidationRule `json:"userValidationRules,omitempty"`
// tls is the configuration for communicating with the OIDC provider via TLS.
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// ClaimValidationRule provides the configuration for a single claim validation rule.
type ClaimValidationRule struct {
// claim is the name of a required claim.
// Same as --oidc-required-claim flag.
// Only string claim keys are supported.
// Mutually exclusive with expression and message.
// +optional
Claim string `json:"claim,omitempty"`
// requiredValue is the value of a required claim.
// Same as --oidc-required-claim flag.
// Only string claim values are supported.
// If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string.
// Mutually exclusive with expression and message.
// +optional
RequiredValue string `json:"requiredValue,omitempty"`
// expression represents the expression which will be evaluated by CEL.
// Must produce a boolean.
//
// CEL expressions have access to the contents of the token claims, organized into CEL variable:
// - 'claims' is a map of claim names to claim values.
// For example, a variable named 'sub' can be accessed as 'claims.sub'.
// Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
// Must return true for the validation to pass.
//
// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
//
// Mutually exclusive with claim and requiredValue.
// +optional
Expression string `json:"expression,omitempty"`
// message customizes the returned error message when expression returns false.
// message is a literal string.
// Mutually exclusive with claim and requiredValue.
// +optional
Message string `json:"message,omitempty"`
}
// UserValidationRule provides the configuration for a single user info validation rule.
type UserValidationRule struct {
// expression represents the expression which will be evaluated by CEL.
// Must return true for the validation to pass.
//
// CEL expressions have access to the contents of UserInfo, organized into CEL variable:
// - 'user' - authentication.k8s.io/v1, Kind=UserInfo object
// Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition.
// API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io
//
// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
//
// +required
Expression string `json:"expression"`
// message customizes the returned error message when rule returns false.
// message is a literal string.
// +optional
Message string `json:"message,omitempty"`
}
// JWTTokenClaims allows customization of the claims that will be mapped to user identity
// for Kubernetes access.
type JWTTokenClaims struct {
// Groups is the name of the claim which should be read to extract the user's
// groups is the name of the claim which should be read to extract the user's
// group membership from the JWT token. When not specified, it will default to "groups".
// +optional
Groups string `json:"groups"`
// Username is the name of the claim which should be read to extract the
// username is the name of the claim which should be read to extract the
// username from the JWT token. When not specified, it will default to "username".
// +optional
Username string `json:"username"`
// extra is similar to claimMappings.extra from Kubernetes AuthenticationConfiguration as documented in
// https://kubernetes.io/docs/reference/access-authn-authz/authentication. However, note that the
// Pinniped Concierge issues client certificates to users for the purpose of authenticating, and
// the Kubernetes API server does not have any mechanism for transmitting auth extras via client
// certificates. When configured, these extras will appear in client certificates issued by the
// Pinniped Supervisor in the x509 Subject field as Organizational Units (OU). However, when this
// client certificate is presented to Kubernetes for authentication, Kubernetes will ignore these
// extras. This is probably only useful if you are using a custom authenticating proxy in front
// of your Kubernetes API server which can translate these OUs into auth extras, as described by
// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authenticating-proxy.
// This is an advanced configuration option. During an end-user login flow, each of these CEL expressions
// must evaluate to either a string or an array of strings, or else the user's login will fail.
// +optional
Extra []ExtraMapping `json:"extra,omitempty"`
}
// ExtraMapping provides the configuration for a single extra mapping.
type ExtraMapping struct {
// key is a string to use as the extra attribute key.
// key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
// subdomain as defined by RFC 1123. All characters trailing the first "/" must
// be valid HTTP Path characters as defined by RFC 3986.
// key must be lowercase.
// Required to be unique.
// +required
Key string `json:"key"`
// valueExpression is a CEL expression to extract extra attribute value.
// valueExpression must produce a string or string array value.
// "", [], and null values are treated as the extra mapping not being present.
// Empty string values contained within a string array are filtered out.
//
// CEL expressions have access to the contents of the token claims, organized into CEL variable:
// - 'claims' is a map of claim names to claim values.
// For example, a variable named 'sub' can be accessed as 'claims.sub'.
// Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
//
// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
//
// +required
ValueExpression string `json:"valueExpression"`
}
// JWTAuthenticator describes the configuration of a JWT authenticator.
@@ -86,14 +208,14 @@ type JWTAuthenticator struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the authenticator.
// spec for configuring the authenticator.
Spec JWTAuthenticatorSpec `json:"spec"`
// Status of the authenticator.
// status of the authenticator.
Status JWTAuthenticatorStatus `json:"status,omitempty"`
}
// List of JWTAuthenticator objects.
// JWTAuthenticatorList is a list of JWTAuthenticator objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type JWTAuthenticatorList struct {
metav1.TypeMeta `json:",inline"`

65
generated/1.29/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -29,6 +29,38 @@ func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDa
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ClaimValidationRule) DeepCopyInto(out *ClaimValidationRule) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClaimValidationRule.
func (in *ClaimValidationRule) DeepCopy() *ClaimValidationRule {
if in == nil {
return nil
}
out := new(ClaimValidationRule)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ExtraMapping) DeepCopyInto(out *ExtraMapping) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtraMapping.
func (in *ExtraMapping) DeepCopy() *ExtraMapping {
if in == nil {
return nil
}
out := new(ExtraMapping)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
*out = *in
@@ -93,7 +125,17 @@ func (in *JWTAuthenticatorList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
*out = *in
out.Claims = in.Claims
in.Claims.DeepCopyInto(&out.Claims)
if in.ClaimValidationRules != nil {
in, out := &in.ClaimValidationRules, &out.ClaimValidationRules
*out = make([]ClaimValidationRule, len(*in))
copy(*out, *in)
}
if in.UserValidationRules != nil {
in, out := &in.UserValidationRules, &out.UserValidationRules
*out = make([]UserValidationRule, len(*in))
copy(*out, *in)
}
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
@@ -138,6 +180,11 @@ func (in *JWTAuthenticatorStatus) DeepCopy() *JWTAuthenticatorStatus {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JWTTokenClaims) DeepCopyInto(out *JWTTokenClaims) {
*out = *in
if in.Extra != nil {
in, out := &in.Extra, &out.Extra
*out = make([]ExtraMapping, len(*in))
copy(*out, *in)
}
return
}
@@ -172,6 +219,22 @@ func (in *TLSSpec) DeepCopy() *TLSSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *UserValidationRule) DeepCopyInto(out *UserValidationRule) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserValidationRule.
func (in *UserValidationRule) DeepCopy() *UserValidationRule {
if in == nil {
return nil
}
out := new(UserValidationRule)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookAuthenticator) DeepCopyInto(out *WebhookAuthenticator) {
*out = *in

147
generated/1.29/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@@ -58,37 +58,133 @@ spec:
metadata:
type: object
spec:
description: Spec for configuring the authenticator.
description: spec for configuring the authenticator.
properties:
audience:
description: Audience is the required value of the "aud" JWT claim.
description: audience is the required value of the "aud" JWT claim.
minLength: 1
type: string
claimValidationRules:
description: |-
claimValidationRules are rules that are applied to validate token claims to authenticate users.
This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in
https://kubernetes.io/docs/reference/access-authn-authz/authentication.
This is an advanced configuration option. During an end-user login flow, mistakes in this
configuration will cause the user's login to fail.
items:
description: ClaimValidationRule provides the configuration for
a single claim validation rule.
properties:
claim:
description: |-
claim is the name of a required claim.
Same as --oidc-required-claim flag.
Only string claim keys are supported.
Mutually exclusive with expression and message.
type: string
expression:
description: |-
expression represents the expression which will be evaluated by CEL.
Must produce a boolean.
CEL expressions have access to the contents of the token claims, organized into CEL variable:
- 'claims' is a map of claim names to claim values.
For example, a variable named 'sub' can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
Must return true for the validation to pass.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Mutually exclusive with claim and requiredValue.
type: string
message:
description: |-
message customizes the returned error message when expression returns false.
message is a literal string.
Mutually exclusive with claim and requiredValue.
type: string
requiredValue:
description: |-
requiredValue is the value of a required claim.
Same as --oidc-required-claim flag.
Only string claim values are supported.
If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string.
Mutually exclusive with expression and message.
type: string
type: object
type: array
claims:
description: |-
Claims allows customization of the claims that will be mapped to user identity
claims allows customization of the claims that will be mapped to user identity
for Kubernetes access.
properties:
extra:
description: |-
extra is similar to claimMappings.extra from Kubernetes AuthenticationConfiguration as documented in
https://kubernetes.io/docs/reference/access-authn-authz/authentication. However, note that the
Pinniped Concierge issues client certificates to users for the purpose of authenticating, and
the Kubernetes API server does not have any mechanism for transmitting auth extras via client
certificates. When configured, these extras will appear in client certificates issued by the
Pinniped Supervisor in the x509 Subject field as Organizational Units (OU). However, when this
client certificate is presented to Kubernetes for authentication, Kubernetes will ignore these
extras. This is probably only useful if you are using a custom authenticating proxy in front
of your Kubernetes API server which can translate these OUs into auth extras, as described by
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authenticating-proxy.
This is an advanced configuration option. During an end-user login flow, each of these CEL expressions
must evaluate to either a string or an array of strings, or else the user's login will fail.
items:
description: ExtraMapping provides the configuration for a single
extra mapping.
properties:
key:
description: |-
key is a string to use as the extra attribute key.
key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
subdomain as defined by RFC 1123. All characters trailing the first "/" must
be valid HTTP Path characters as defined by RFC 3986.
key must be lowercase.
Required to be unique.
type: string
valueExpression:
description: |-
valueExpression is a CEL expression to extract extra attribute value.
valueExpression must produce a string or string array value.
"", [], and null values are treated as the extra mapping not being present.
Empty string values contained within a string array are filtered out.
CEL expressions have access to the contents of the token claims, organized into CEL variable:
- 'claims' is a map of claim names to claim values.
For example, a variable named 'sub' can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
type: string
required:
- key
- valueExpression
type: object
type: array
groups:
description: |-
Groups is the name of the claim which should be read to extract the user's
groups is the name of the claim which should be read to extract the user's
group membership from the JWT token. When not specified, it will default to "groups".
type: string
username:
description: |-
Username is the name of the claim which should be read to extract the
username is the name of the claim which should be read to extract the
username from the JWT token. When not specified, it will default to "username".
type: string
type: object
issuer:
description: |-
Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
also used to validate the "iss" JWT claim.
minLength: 1
pattern: ^https://
type: string
tls:
description: TLS configuration for communicating with the OIDC provider.
description: tls is the configuration for communicating with the OIDC
provider via TLS.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
@@ -128,12 +224,47 @@ spec:
- name
type: object
type: object
userValidationRules:
description: |-
userValidationRules are rules that are applied to final user before completing authentication.
These allow invariants to be applied to incoming identities such as preventing the
use of the system: prefix that is commonly used by Kubernetes components.
The validation rules are logically ANDed together and must all return true for the validation to pass.
This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in
https://kubernetes.io/docs/reference/access-authn-authz/authentication.
This is an advanced configuration option. During an end-user login flow, mistakes in this
configuration will cause the user's login to fail.
items:
description: UserValidationRule provides the configuration for a
single user info validation rule.
properties:
expression:
description: |-
expression represents the expression which will be evaluated by CEL.
Must return true for the validation to pass.
CEL expressions have access to the contents of UserInfo, organized into CEL variable:
- 'user' - authentication.k8s.io/v1, Kind=UserInfo object
Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition.
API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
type: string
message:
description: |-
message customizes the returned error message when rule returns false.
message is a literal string.
type: string
required:
- expression
type: object
type: array
required:
- audience
- issuer
type: object
status:
description: Status of the authenticator.
description: status of the authenticator.
properties:
conditions:
description: Represents the observations of the authenticator's current