Skip to content

Remove K8s Auth Requirement From Docs #1053

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

Remove K8s Auth Requirement From Docs #1053

wants to merge 5 commits into from
+13 −8

Conversation

jaireddjawed
Copy link
Contributor

We no longer plan to require audiences in the kubernetes auth plugin. It was later discovered that doing so could break some valid configurations of our customers (more details here).

Instead, we plan to simply recommend that customers specify anaudience if it does not break their workflow. We log a warning in Vault when an audience is not configured so that customers will be aware.

@jaireddjawed jaireddjawed self-assigned this Oct 5, 2025
@jaireddjawed jaireddjawed requested review from a team as code owners October 5, 2025 01:44
@jaireddjawed jaireddjawed changed the base branch from main to vault/1.21.x October 5, 2025 01:45
@github-actions github-actions bot added Vault Content update for Vault product docs Vault IC Higher priority Vault content PR. Update relates to an important changes announcement. labels Oct 5, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 5, 2025
edited
Loading

Deploying Vercel Previews...

Name Status Preview Updated (UTC)
Dev Portal 🔄 Building (Inspect) --- ---
Unified Docs API 🔄 Building (Inspect) --- ---

LeahMarieBush
LeahMarieBush requested changes Oct 6, 2025
View reviewed changes
Copy link
Contributor

@LeahMarieBush LeahMarieBush left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you remove the .idea files? They are user specific and should not be pushed up to the repo

yhyakuna
yhyakuna reviewed Oct 6, 2025
View reviewed changes
@jaireddjawed jaireddjawed requested a review from yhyakuna October 6, 2025 16:38
@schavis
Copy link
Contributor

schavis commented Oct 6, 2025

@jaireddjawed If we're updating the current docs, the PR should merge to main instead of the release branch :)

@jaireddjawed
Copy link
Contributor Author

@jaireddjawed If we're updating the current docs, the PR should merge to main instead of the release branch :)

Sounds good. I'll open another PR.

schavis
schavis requested changes Oct 6, 2025
View reviewed changes
content/vault/v1.20.x/content/docs/updates/important-changes.mdx
Comment on lines +195 to +200
We recommend configuring an audience value for Kubernetes authentication roles when possible.
This enables Vault to validate that the aud (audience) claim in JWT tokens is explicitly intended for Vault,
reducing the risk of token misuse by other services. While not required, setting an audience is considered a security
best practice and is encouraged when it doesn't interfere with your workflow. For example, tokens created using
kubernetes.io/service-account-token do not include an aud claim, so it's appropriate to omit the audience field in this case.
Here's an example configuration.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
We recommend configuring an audience value for Kubernetes authentication roles when possible.
This enables Vault to validate that the aud (audience) claim in JWT tokens is explicitly intended for Vault,
reducing the risk of token misuse by other services. While not required, setting an audience is considered a security
best practice and is encouraged when it doesn't interfere with your workflow. For example, tokens created using
kubernetes.io/service-account-token do not include an aud claim, so it's appropriate to omit the audience field in this case.
Here's an example configuration.
There are cases where configuring audience details can interfere with your
workflow. For example, tokens created using `kubernetes.io/service-account-token`
do not include an aud claim. But we recommend configuring an audience value for
Kubernetes authentication roles whenever possible. Setting explicit audience
details is best practice because it reduces the risk of token misuse by other
services. Vault can use the configured values to validate that the `aud`
(audience) claim in JWT tokens is intended for Vault.
For example:

Style correction: avoid "this" as a pronoun, avoid possessives

@jaireddjawed jaireddjawed deleted the jaireddjawed/remove-k8s-audience-requirement branch October 6, 2025 17:43
@jaireddjawed
Copy link
Contributor Author

Opened a new PR here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schavis schavis schavis requested changes

@LeahMarieBush LeahMarieBush Awaiting requested review from LeahMarieBush

@yhyakuna yhyakuna Awaiting requested review from yhyakuna

Assignees

@jaireddjawed jaireddjawed

Labels
Vault IC Higher priority Vault content PR. Update relates to an important changes announcement. Vault Content update for Vault product docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jaireddjawed @schavis @yhyakuna @LeahMarieBush