Authentication using Kubernetes JWT tokens

[sebypp]

Hello everyone,

Hopefully someone can provide a creative solution for the (rather simple, I'd say) problem that I'm facing.

Context

I'm currently building a cluster that uses OAuth authentication based on Kubernetes generated JWT tokens. The idea is to allow Kafka clients to use their pod's JWT token to authenticate to Kafka.

Using default settings for the OAuth listener the Kafka Principal username gets translated to the value of the sub claim, which typically looks like this system:serviceaccount:kafka-test:default.

For authorization I'm using the KafkaUser CRD.

Problem statement

Given that the Kafka Principal username extracted from the JWT token is an invalid Kubernetes resources name (e.g. system:serviceaccount:kafka-test:default) this basically means that I can't use KafkaUser CRD to manage authorization. One quick and dirty workaround is extracting specific claims from the JWT token, but there may be situations where usernames could collide (e.g. service account kafka-consumer exists in multiple namespaces).

Is there a way to work around this problem? Possible thought/solutions that come to mind:

1. Annotate the KafkaUser CRD to match the Kafka Principal username extracted from the JWT token.
2. Combine multiple parts of the JWT token in the userNameClaim parameter of the OAuth listener.

Any help would be highly appreciated.

Later Edit & TDLR

This is known issue, discussion happening in #10353

[scholzj]

There is no workaround right now. There is an issue tracking this limitation somewhere among the issues.

[sebypp]

@scholzj , thanks for the quick reply. I had a look at all 100+ open issues in the strimzi-kafka-operator repo, but couldn't find anything. Do you happen to remember more details that could help me narrow the search?

[scholzj]

#10353?

[sebypp]

Thanks @scholzj , this wasn't immediately obvious, but it can certainly fit the bill. I'll close this question and comment on the issue itself, maybe we can revitalize it a bit.

[scholzj]

Not sure it really needed the "revitalization" to be honest. It makes it just muhc harder to understand what the issue is really about.