From ce9af5c20f20848010ae0a72f6fcc6b57294ed9c Mon Sep 17 00:00:00 2001 From: max furman Date: Mon, 31 Aug 2020 20:56:00 -0700 Subject: [PATCH] Standardize k8ssa check on issuer name --- authority/provisioner/collection.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/authority/provisioner/collection.go b/authority/provisioner/collection.go index 16716698..13b7be4d 100644 --- a/authority/provisioner/collection.go +++ b/authority/provisioner/collection.go @@ -37,9 +37,8 @@ func (p provisionerSlice) Swap(i, j int) { p[i], p[j] = p[j], p[i] } // provisioner. type loadByTokenPayload struct { jose.Claims - AuthorizedParty string `json:"azp"` // OIDC client id - TenantID string `json:"tid"` // Microsoft Azure tenant id - ServiceAccountName string `json:"kubernetes.io/serviceaccount/service-account.name"` // Kubernetes Service Acct Name + AuthorizedParty string `json:"azp"` // OIDC client id + TenantID string `json:"tid"` // Microsoft Azure tenant id } // Collection is a memory map of provisioners. @@ -94,7 +93,7 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims) } // Kubernetes Service Account tokens. - if len(payload.ServiceAccountName) > 0 { + if payload.Issuer == k8sSAIssuer { if p, ok := c.Load(K8sSAID); ok { return p, ok }