Uploaded image for project: 'RHOS Request for Features'
  1. RHOS Request for Features
  2. RHOSRFE-220

OpenShift ServiceAccounts need OpenStack (Keystone) Roles with Ephemeral Credentials

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Major Major
    • Keystone
    • None
    • Red Hat OpenShift Container Platform, Red Hat OpenStack Services on OpenShift (formerly Red Hat OpenStack Platform)

      Feature Request Overview 

      Today, Shift-on-Stack workloads authenticate to OpenStack using Application Credentials tied to a real user and a long-lived secret. That leaves teams to build their own secret distribution and rotation, which is weaker than hyperscaler "workload identity" (IRSA-like) flows.

      We need to enable OpenShift service account (SA) tokens (bound, audience-scoped, short-lived OIDC JWTs) to be federated into Keystone to obtain ephemeral, least-privilege Keystone tokens scoped to specific projects/roles, without any static passwords or app-credential secrets. Implementation leverages Keystone federation via OIDC (mod_auth_openidc) with claim-to-role mappings, trusting the OpenShift cluster's OIDC issuer for SA tokens.

      While this RFE explicitly targets OpenShift workloads in OpenStack it is a path to generalized VM guest workload identity.

      Business justification 

      1. Security parity with hyperscalers: Remove long-lived user passwords and app-credential secrets from pods; adopt short-lived, aud-scoped tokens with automatic rotation driven by Kubernetes.
      2. Operational risk reduction: No out-of-band secret rotation pipelines; rotation follows SA token TTL automatically.
      3. Least privilege by design: Map namespace/SA/audience claims to minimal Keystone roles on specific projects.
      4. Compliance & audit: Centralized authN via Keystone; explicit claim-to-role mappings; auditable, scoped tokens.
      5. Developer velocity: Eliminate secret hand-offs for teams that need OpenStack APIs (CSI drivers, operators, controllers).
      6. Shift-on-Stack credibility: Matches the posture customers expect from AWS/GCP/Azure-style workload identity while staying entirely on-prem.

      Functional requirements

      A. Keystone federation plumbing (owned by RHOSO Identity/Keystone)

      1. Keystone as OIDC RP: Operator-managed configuration for mod_auth_openidc (or supported equivalent) on the Keystone front end, enabling OIDC authentication against a trusted IdP. 
      2. Trust OpenShift's OIDC issuer: Register the OpenShift cluster's issuer (discovery URL), accepted audiences, and JWKS. Use bound service account tokens; enforce TTL ≤ SA token TTL. 
      3. Identity Provider + Protocol + Mapping in Keystone: Define an IdP (OpenShift), a protocol (openid), and mapping rules from OIDC claims (e.g., sub, aud, namespace, SA name, groups) to Keystone groups/roles/projects. Provide operator-level CRDs/automation to manage these artifacts declaratively. 
      4. Ephemeral Keystone tokens: After successful federation, Keystone issues standard project-scoped tokens; default TTL should be short (e.g., ≤1h) and not exceed the validating SA token TTL. (Keystone token issuance is existing behavior; the TTL alignment is the requested enhancement/policy.) 
      5. Backward compatibility: Application Credentials remain supported for legacy workloads; documented migration to federation. 

      B.  ShiftStack/IPI integration (coordinated with RHOSO + OCP)

      1. Cluster bootstrap docs & samples: Official guide to expose the OCP issuer and create the Keystone IdP/protocol/mapping, including example claim mappings by namespace/SA convention (e.g., system:serviceaccount:<ns>:<name>). 
      2. Validation tooling: Simple openstack CLI flow (or a small plugin) to exchange an OCP SA token for a scoped Keystone token and to verify claim-to-role mappings end-to-end. (New UX; based on Keystone federation primitives.)

      C. SDK/driver guidance (documentation)

      1. keystoneauth usage with OIDC-federated tokens: Show how controllers/operators (e.g., CSI sidecars) use the in-cluster projected token to obtain a Keystone token on pod start and refresh automatically. (Doc pattern, leveraging bound tokens + federation.) 

       

      Keystone's OIDC federation via Apache is documented and supported; operators today can configure it manually, this RFE is about productizing and supporting it in RHOSO, including issuer trust, mapping, and lifecycle via the Keystone operator. 

      OpenShift bound SA tokens are audience- and time-bound OIDC tokens, designed exactly for this kind of external federation.

       

      Describe the customer impact

      • Removes static OpenStack secrets from OpenShift workloads; eliminates DIY rotation pipelines.
      • Brings Shift-on-Stack to security parity with hyperscalers' workload identity models using standard OIDC federation.
      • Improves least-privilege isolation across namespaces/teams via claim-based mappings to precise Keystone roles/projects.
      • Speeds onboarding for platform and app teams (no more per-app Keystone user/service-account lifecycle).
      • Reduces audit findings around credential age/exposure; TTL-aligned ephemeral tokens reduce blast radius.
      • Smooth migration path: legacy Application Credentials still work, with documented migration to OIDC federation.

       

      Point of contact

       

              jjung@redhat.com JP Jung
              gprocuni@redhat.com Greg Procunier
              Votes:
              2 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: