{"id":19391092,"url":"https://github.com/spiffe/k8s-spiffe-workload-jwt-exec-auth","last_synced_at":"2026-05-18T14:11:52.633Z","repository":{"id":254325459,"uuid":"846183301","full_name":"spiffe/k8s-spiffe-workload-jwt-exec-auth","owner":"spiffe","description":"A Kubernetes exec auth plugin using the spiffe workload api to get jwts for auth","archived":false,"fork":false,"pushed_at":"2024-10-12T19:12:08.000Z","size":21,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-10-21T05:08:36.742Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spiffe.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-22T17:32:21.000Z","updated_at":"2024-10-12T19:12:11.000Z","dependencies_parsed_at":"2024-08-22T20:18:34.277Z","dependency_job_id":"5555fdb3-a1e4-4415-bbae-e5318a98e86d","html_url":"https://github.com/spiffe/k8s-spiffe-workload-jwt-exec-auth","commit_stats":null,"previous_names":["spiffe/k8s-spiffe-workload-jwt-exec-auth"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spiffe%2Fk8s-spiffe-workload-jwt-exec-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spiffe%2Fk8s-spiffe-workload-jwt-exec-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spiffe%2Fk8s-spiffe-workload-jwt-exec-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spiffe%2Fk8s-spiffe-workload-jwt-exec-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spiffe","download_url":"https://codeload.github.com/spiffe/k8s-spiffe-workload-jwt-exec-auth/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240557489,"owners_count":19820359,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T10:24:39.993Z","updated_at":"2026-05-18T14:11:47.598Z","avatar_url":"https://github.com/spiffe.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# k8s-spiffe-workload-jwt-exec-auth\n\n[![Apache 2.0 License](https://img.shields.io/github/license/spiffe/helm-charts)](https://opensource.org/licenses/Apache-2.0)\n[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)\n\nA Kubernetes exec auth plugin using the SPIFFE Workload API to get JWTs for auth.\n\n## Building\n\n```\ngo build .\n```\n\n## Usage\n\n### Setup the Kubernetes cluster auth\n\nWe recommend using the Structured Authentication mechanism, as documented here: https://kubernetes.io/blog/2024/04/25/structured-authentication-moves-to-beta/\n\nAs an example:\n```yaml\napiVersion: apiserver.config.k8s.io/v1beta1\nkind: AuthenticationConfiguration\njwt:\n- issuer:\n    # Update to point at your spiffe-oidc-discovery-provider\n    url: https://oidc-discovery.example.org\n    audiences:\n    - k8s\n  claimMappings:\n    username:\n      claim: \"sub\"\n      prefix: \"\"\n```\n\n### User kubeconfig file\n\nStart with a copy of your Kubernetes clusters /etc/kubernetes/admin.conf file.\n\nRemove the \"user\" block from the \"users\" section and replace it with:\n```yaml\n  user:\n    exec:\n      apiVersion: \"client.authentication.k8s.io/v1\"\n      command: \"k8s-spiffe-workload-jwt-exec-auth\"\n      interactiveMode: Never\n      # To customize, uncomment and change the settings below\n      #env:\n      #  - name: SPIFFE_ENDPOINT_SOCKET\n      #    value: \"unix:///var/run/spire/agent/sockets/main/public/api.sock\"\n      #  - name: SPIFFE_JWT_AUDIENCE\n      #    value: \"k8s-one\"\n```\n\n### Kubelet kubeconfig file\n\nModify `/etc/kubernetes/kubelet.conf`, and remove `client-certificate` and `client-key` settings. Then add the following exec block to user:\n\n```yaml\n  user:\n    exec:\n      apiVersion: \"client.authentication.k8s.io/v1\"\n      command: \"k8s-spiffe-workload-jwt-exec-auth\"\n      interactiveMode: Never\n      # To customize, uncomment and change the settings below\n      #env:\n      #  - name: SPIFFE_ENDPOINT_SOCKET\n      #    value: \"unix:///var/run/spire/agent/sockets/main/public/api.sock\"\n      #  - name: SPIFFE_JWT_AUDIENCE\n      #    value: \"k8s-one\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspiffe%2Fk8s-spiffe-workload-jwt-exec-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspiffe%2Fk8s-spiffe-workload-jwt-exec-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspiffe%2Fk8s-spiffe-workload-jwt-exec-auth/lists"}