Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove the deprecated k8s_sat node attestor plugin #5703

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 0 additions & 14 deletions conf/agent/agent_full.conf
Original file line number Diff line number Diff line change
Expand Up @@ -204,20 +204,6 @@ plugins {
}
}

# NodeAttestor "k8s_sat" (deprecated): A node attestor which attests agent identity
# using a Kubernetes Service Account token.
NodeAttestor "k8s_sat" {
plugin_data {
# cluster: Name of the cluster. It must correspond to a cluster
# configured in the server plugin.
# cluster = ""

# token_path: Path to the service account token on disk.
# Default: /var/run/secrets/kubernetes.io/serviceaccount/token.
# token_path = "/var/run/secrets/kubernetes.io/serviceaccount/token"
}
}

# NodeAttestor "sshpop": A node attestor which attests agent identity
# using an existing ssh certificate.
NodeAttestor "sshpop" {
Expand Down
41 changes: 0 additions & 41 deletions conf/server/server_full.conf
Original file line number Diff line number Diff line change
Expand Up @@ -533,47 +533,6 @@ plugins {
# }
# }

# NodeAttestor "k8s_sat" (deprecated): A node attestor which attests agent identity
# using a Kubernetes Service Account token.
# NodeAttestor "k8s_sat" {
# plugin_data {
# # clusters: A map of clusters, keyed by an arbitrary ID, that are
# # authorized for attestation.
# # clusters = {
# # "<arbitrary ID>" = {
# # service_account_allow_list: A list of service account names,
# # qualified by namespace (for example, "default:blog" or
# # "production:web") to allow for node attestation. Attestation
# # will be rejected for tokens bound to service accounts that
# # aren't in the allow list.
# # service_account_allow_list = []

# # use_token_review_api_validation: Specifies how the service
# # account token is validated. If false, validation is done
# # locally using the provided key. If true, validation is done
# # using token review API. Default: false.
# # use_token_review_api_validation = false

# # service_account_key_file: It is only used if
# # use_token_review_api_validation is set to false. Path on disk
# # to a PEM encoded file containing public keys used in
# # validating tokens for that cluster. RSA and ECDSA keys are
# # supported. For RSA, X509 certificates, PKCS1, and PKIX encoded
# # public keys are accepted. For ECDSA, X509 certificates, and
# # PKIX encoded public keys are accepted.
# # service_account_key_file = ""

# # kube_config_file: It is only used if
# # use_token_review_api_validation is set to true. Path to a k8s
# # configuration file for API Server authentication. A kubernetes
# # configuration file must be specified if SPIRE server runs
# # outside of the k8s cluster. If empty, SPIRE server is assumed
# # to be running inside the cluster and in-cluster configuration
# # is used. Default: "".
# # kube_config_file = ""
# }
# }

# NodeAttestor "sshpop": A node attestor which attests agent identity
# using an existing ssh certificate.
# NodeAttestor "sshpop" {
Expand Down
50 changes: 0 additions & 50 deletions doc/plugin_agent_nodeattestor_k8s_sat.md

This file was deleted.

105 changes: 0 additions & 105 deletions doc/plugin_server_nodeattestor_k8s_sat.md

This file was deleted.

1 change: 0 additions & 1 deletion doc/spire_agent.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ This document is a configuration reference for SPIRE Agent. It includes informat
| NodeAttestor | [azure_msi](/doc/plugin_agent_nodeattestor_azure_msi.md) | A node attestor which attests agent identity using an Azure MSI token |
| NodeAttestor | [gcp_iit](/doc/plugin_agent_nodeattestor_gcp_iit.md) | A node attestor which attests agent identity using a GCP Instance Identity Token |
| NodeAttestor | [join_token](/doc/plugin_agent_nodeattestor_jointoken.md) | A node attestor which uses a server-generated join token |
| NodeAttestor | [k8s_sat](/doc/plugin_agent_nodeattestor_k8s_sat.md) (deprecated) | A node attestor which attests agent identity using a Kubernetes Service Account token |
| NodeAttestor | [k8s_psat](/doc/plugin_agent_nodeattestor_k8s_psat.md) | A node attestor which attests agent identity using a Kubernetes Projected Service Account token |
| NodeAttestor | [sshpop](/doc/plugin_agent_nodeattestor_sshpop.md) | A node attestor which attests agent identity using an existing ssh certificate |
| NodeAttestor | [x509pop](/doc/plugin_agent_nodeattestor_x509pop.md) | A node attestor which attests agent identity using an existing X.509 certificate |
Expand Down
1 change: 0 additions & 1 deletion doc/spire_server.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ This document is a configuration reference for SPIRE Server. It includes informa
| NodeAttestor | [azure_msi](/doc/plugin_server_nodeattestor_azure_msi.md) | A node attestor which attests agent identity using an Azure MSI token |
| NodeAttestor | [gcp_iit](/doc/plugin_server_nodeattestor_gcp_iit.md) | A node attestor which attests agent identity using a GCP Instance Identity Token |
| NodeAttestor | [join_token](/doc/plugin_server_nodeattestor_jointoken.md) | A node attestor which validates agents attesting with server-generated join tokens |
| NodeAttestor | [k8s_sat](/doc/plugin_server_nodeattestor_k8s_sat.md) (deprecated) | A node attestor which attests agent identity using a Kubernetes Service Account token |
| NodeAttestor | [k8s_psat](/doc/plugin_server_nodeattestor_k8s_psat.md) | A node attestor which attests agent identity using a Kubernetes Projected Service Account token |
| NodeAttestor | [sshpop](/doc/plugin_server_nodeattestor_sshpop.md) | A node attestor which attests agent identity using an existing ssh certificate |
| NodeAttestor | [tpm_devid](/doc/plugin_server_nodeattestor_tpm_devid.md) | A node attestor which attests agent identity using a TPM that has been provisioned with a DevID certificate |
Expand Down
2 changes: 0 additions & 2 deletions pkg/agent/catalog/nodeattestor.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ import (
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/httpchallenge"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/jointoken"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/k8spsat"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/k8ssat"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/sshpop"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/tpmdevid"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/x509pop"
Expand Down Expand Up @@ -41,7 +40,6 @@ func (repo *nodeAttestorRepository) BuiltIns() []catalog.BuiltIn {
httpchallenge.BuiltIn(),
jointoken.BuiltIn(),
k8spsat.BuiltIn(),
k8ssat.BuiltIn(),
sshpop.BuiltIn(),
tpmdevid.BuiltIn(),
x509pop.BuiltIn(),
Expand Down
Loading