Merge pull request #2 from spiffe/initial-readme

Initial readme
spiffe · Aug 22, 2024 · 5964ce7 · 5964ce7
2 parents f286c9f + 09c8166
commit 5964ce7
Showing 1 changed file with 41 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -1,2 +1,43 @@
 # k8s-spiffe-workload-jwt-exec-auth
 A Kubernetes exec auth plugin using the spiffe workload api to get jwts for auth
+
+## Building
+go build .
+
+## Usage
+
+### Setup the Kubernetes cluster auth
+
+We recommend using the Structured Authentication mechanism, as documented here: https://kubernetes.io/blog/2024/04/25/structured-authentication-moves-to-beta/
+
+As an example:
+```yaml
+apiVersion: apiserver.config.k8s.io/v1beta1
+kind: AuthenticationConfiguration
+jwt:
+- issuer:
+    # Update to point at your spiffe-oidc-discovery-provider
+    url: https://oidc-discovery.example.org
+    audiences:
+    - k8s
+  claimMappings:
+    username:
+      claim: "sub"
+      prefix: ""
+```
+
+### Kubeconfig file
+
+Start with a copy of your kubernetes clusters /etc/kubernetes/admin.conf file.
+
+Remove the "user" block from the "users" section and replace it with:
+```yaml
+  user:
+    exec:
+      apiVersion: "client.authentication.k8s.io/v1"
+      command: "k8s-spiffe-workload-jwt-exec-auth"
+      # To customize, uncomment and change the settings below
+      #env:
+      #  SPIFFE_ENDPOINT_SOCKET: "unix:///tmp/spire-agent/public/api.sock"
+      #  SPIFFE_JWT_AUDIENCE: "k8s"
+```