lex-identity-kubernetes

Kubernetes service account identity provider for LegionIO. Reads projected SA tokens from the standard mount path and optionally validates them via Vault Kubernetes auth.

Gem: lex-identity-kubernetes Version: 0.1.0 License: MIT

When running inside a Kubernetes pod, LegionIO can establish machine identity from the pod's service account. This provider:

1. Reads the projected SA token from /var/run/secrets/kubernetes.io/serviceaccount/token
2. If Vault is connected: validates the token via auth/kubernetes/login and derives groups from Vault policies (verified path)
3. If Vault is not connected: decodes the JWT payload without signature verification (unverified fallback) — groups are always empty on this path for RBAC safety

{
  canonical_name: 'legionio-legion-worker',   # namespace-sa_name
  kind:           :machine,
  source:         :kubernetes,
  persistent:     true,
  groups:         ['default', 'legionio'],    # from Vault policies (verified only)
  metadata:       {
    namespace:        'legionio',
    service_account:  'legion-worker',
    verified:         true   # false on unverified path
  }
}

Settings at Legion::Settings[:identity][:kubernetes]:

vault auth enable kubernetes
vault write auth/kubernetes/config \
  token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
  kubernetes_host="https://kubernetes.default.svc"

vault write auth/kubernetes/role/legionio \
  bound_service_account_names=legion-worker \
  bound_service_account_namespaces=legionio \
  policies=default,legionio \
  ttl=1h

bundle install
bundle exec rspec
bundle exec rubocop