Expand description
Authentication middleware for Kubernetes ServiceAccount tokens
This module validates that incoming requests include a valid ServiceAccount token in the Authorization header.
§Token Validation Modes
§Basic Mode (default)
- Checks for token presence and format
- Suitable for trusted environments or when using external auth (API gateway, service mesh)
§Kubernetes TokenReview Mode (feature: k8s-token-review)
- Validates tokens against Kubernetes TokenReview API
- Verifies token authenticity and expiration
- Validates token audience
- Restricts to allowed namespaces and service accounts
- Requires in-cluster configuration or kubeconfig
§Security Configuration
Environment variables for TokenReview mode:
BIND_TOKEN_AUDIENCES- Comma-separated list of expected audiences (default: “bindcar”)BIND_ALLOWED_NAMESPACES- Comma-separated list of allowed namespaces (empty = allow all)BIND_ALLOWED_SERVICE_ACCOUNTS- Comma-separated list of allowed SA names (empty = allow all)
Structs§
- Auth
Error - Error response for authentication failures
- Token
Review Config - Configuration for TokenReview security policies
Enums§
- Kube
Auth Mode - Describes how the Kubernetes client will be authenticated when performing TokenReview calls.
Functions§
- authenticate
- Authentication middleware
- detect_
kube_ auth_ mode - Inspect environment variables and return which Kubernetes auth mode should be used.