The Kubernetes Service Account Trust Provider supports attestation of Client Workloads and Agent Controller identities in a Kubernetes environment (either self-hosted or managed by cloud providers - AWS EKS, Azure AKS, GCP GKE).
Match rules
Section titled “Match rules”The following match rules are available for this Trust Provider type:
- iss
- kubernetes.io { namespace }
- kubernetes.io { pod { name } }
- kubernetes.io { serviceaccount { name } }
- sub
| Data | Description | Example |
|---|---|---|
| iss | Kubernetes Cluster Issuer URL | https://kubernetes.default.svc.cluster.local |
| kubernetes.io { namespace } | Pod namespace | default |
| kubernetes.io { pod { name } } | Pod name | example-app |
| kubernetes.io { serviceaccount { name } } | Service Account name | default |
| sub | Service Account token subject | system:serviceaccount:default:default |
Additional configurations
Section titled “Additional configurations”Aembit requires a Kubernetes cluster public key to validate the Service Account token used by this trusted provider.
The majority of cloud providers expose an OIDC endpoint that enables automatic retrieval of the Kubernetes cluster public key.
AWS EKS
Section titled “AWS EKS”-
Ensure your AWS CLI is installed, configured, and authenticated.
-
Execute the following command:
aws eks describe-cluster --name \<cluster_name\> --query "cluster.identity.oidc.issuer" --output text- Paste the response in OIDC Endpoint field.
GCP GKE
Section titled “GCP GKE”-
Ensure your GCP CLI is installed, configured, and authenticated.
-
Execute the following command:
gcloud container clusters describe \<cluster_name\> --region=\<cluster_region\> --format="value(selfLink)"- Paste the response in OIDC Endpoint field.
Azure AKS
Section titled “Azure AKS”-
Ensure your Azure CLI is installed, configured, and authenticated.
-
Execute the following command:
az aks show --resource-group \<resource_group_name\> --name \<cluster_name\> --query "oidcIssuerProfile.issuerUrl" -o tsv- Paste the response in OIDC Endpoint field.