Skip to content

Commit

Permalink
Remove the deprecated k8s_sat node attestor plugin
Browse files Browse the repository at this point in the history
Signed-off-by: Amit Upadhyay <[email protected]>
  • Loading branch information
c0d3-k1ra committed Dec 15, 2024
1 parent 65d6f00 commit de327d5
Show file tree
Hide file tree
Showing 16 changed files with 0 additions and 1,628 deletions.
14 changes: 0 additions & 14 deletions conf/agent/agent_full.conf
Original file line number Diff line number Diff line change
Expand Up @@ -204,20 +204,6 @@ plugins {
}
}

# NodeAttestor "k8s_sat" (deprecated): A node attestor which attests agent identity
# using a Kubernetes Service Account token.
NodeAttestor "k8s_sat" {
plugin_data {
# cluster: Name of the cluster. It must correspond to a cluster
# configured in the server plugin.
# cluster = ""

# token_path: Path to the service account token on disk.
# Default: /var/run/secrets/kubernetes.io/serviceaccount/token.
# token_path = "/var/run/secrets/kubernetes.io/serviceaccount/token"
}
}

# NodeAttestor "sshpop": A node attestor which attests agent identity
# using an existing ssh certificate.
NodeAttestor "sshpop" {
Expand Down
41 changes: 0 additions & 41 deletions conf/server/server_full.conf
Original file line number Diff line number Diff line change
Expand Up @@ -533,47 +533,6 @@ plugins {
# }
# }

# NodeAttestor "k8s_sat" (deprecated): A node attestor which attests agent identity
# using a Kubernetes Service Account token.
# NodeAttestor "k8s_sat" {
# plugin_data {
# # clusters: A map of clusters, keyed by an arbitrary ID, that are
# # authorized for attestation.
# # clusters = {
# # "<arbitrary ID>" = {
# # service_account_allow_list: A list of service account names,
# # qualified by namespace (for example, "default:blog" or
# # "production:web") to allow for node attestation. Attestation
# # will be rejected for tokens bound to service accounts that
# # aren't in the allow list.
# # service_account_allow_list = []

# # use_token_review_api_validation: Specifies how the service
# # account token is validated. If false, validation is done
# # locally using the provided key. If true, validation is done
# # using token review API. Default: false.
# # use_token_review_api_validation = false

# # service_account_key_file: It is only used if
# # use_token_review_api_validation is set to false. Path on disk
# # to a PEM encoded file containing public keys used in
# # validating tokens for that cluster. RSA and ECDSA keys are
# # supported. For RSA, X509 certificates, PKCS1, and PKIX encoded
# # public keys are accepted. For ECDSA, X509 certificates, and
# # PKIX encoded public keys are accepted.
# # service_account_key_file = ""

# # kube_config_file: It is only used if
# # use_token_review_api_validation is set to true. Path to a k8s
# # configuration file for API Server authentication. A kubernetes
# # configuration file must be specified if SPIRE server runs
# # outside of the k8s cluster. If empty, SPIRE server is assumed
# # to be running inside the cluster and in-cluster configuration
# # is used. Default: "".
# # kube_config_file = ""
# }
# }

# NodeAttestor "sshpop": A node attestor which attests agent identity
# using an existing ssh certificate.
# NodeAttestor "sshpop" {
Expand Down
50 changes: 0 additions & 50 deletions doc/plugin_agent_nodeattestor_k8s_sat.md

This file was deleted.

105 changes: 0 additions & 105 deletions doc/plugin_server_nodeattestor_k8s_sat.md

This file was deleted.

1 change: 0 additions & 1 deletion doc/spire_agent.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ This document is a configuration reference for SPIRE Agent. It includes informat
| NodeAttestor | [azure_msi](/doc/plugin_agent_nodeattestor_azure_msi.md) | A node attestor which attests agent identity using an Azure MSI token |
| NodeAttestor | [gcp_iit](/doc/plugin_agent_nodeattestor_gcp_iit.md) | A node attestor which attests agent identity using a GCP Instance Identity Token |
| NodeAttestor | [join_token](/doc/plugin_agent_nodeattestor_jointoken.md) | A node attestor which uses a server-generated join token |
| NodeAttestor | [k8s_sat](/doc/plugin_agent_nodeattestor_k8s_sat.md) (deprecated) | A node attestor which attests agent identity using a Kubernetes Service Account token |
| NodeAttestor | [k8s_psat](/doc/plugin_agent_nodeattestor_k8s_psat.md) | A node attestor which attests agent identity using a Kubernetes Projected Service Account token |
| NodeAttestor | [sshpop](/doc/plugin_agent_nodeattestor_sshpop.md) | A node attestor which attests agent identity using an existing ssh certificate |
| NodeAttestor | [x509pop](/doc/plugin_agent_nodeattestor_x509pop.md) | A node attestor which attests agent identity using an existing X.509 certificate |
Expand Down
1 change: 0 additions & 1 deletion doc/spire_server.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ This document is a configuration reference for SPIRE Server. It includes informa
| NodeAttestor | [azure_msi](/doc/plugin_server_nodeattestor_azure_msi.md) | A node attestor which attests agent identity using an Azure MSI token |
| NodeAttestor | [gcp_iit](/doc/plugin_server_nodeattestor_gcp_iit.md) | A node attestor which attests agent identity using a GCP Instance Identity Token |
| NodeAttestor | [join_token](/doc/plugin_server_nodeattestor_jointoken.md) | A node attestor which validates agents attesting with server-generated join tokens |
| NodeAttestor | [k8s_sat](/doc/plugin_server_nodeattestor_k8s_sat.md) (deprecated) | A node attestor which attests agent identity using a Kubernetes Service Account token |
| NodeAttestor | [k8s_psat](/doc/plugin_server_nodeattestor_k8s_psat.md) | A node attestor which attests agent identity using a Kubernetes Projected Service Account token |
| NodeAttestor | [sshpop](/doc/plugin_server_nodeattestor_sshpop.md) | A node attestor which attests agent identity using an existing ssh certificate |
| NodeAttestor | [tpm_devid](/doc/plugin_server_nodeattestor_tpm_devid.md) | A node attestor which attests agent identity using a TPM that has been provisioned with a DevID certificate |
Expand Down
2 changes: 0 additions & 2 deletions pkg/agent/catalog/nodeattestor.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ import (
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/httpchallenge"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/jointoken"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/k8spsat"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/k8ssat"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/sshpop"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/tpmdevid"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/x509pop"
Expand Down Expand Up @@ -41,7 +40,6 @@ func (repo *nodeAttestorRepository) BuiltIns() []catalog.BuiltIn {
httpchallenge.BuiltIn(),
jointoken.BuiltIn(),
k8spsat.BuiltIn(),
k8ssat.BuiltIn(),
sshpop.BuiltIn(),
tpmdevid.BuiltIn(),
x509pop.BuiltIn(),
Expand Down
Loading

0 comments on commit de327d5

Please sign in to comment.