Kubernetes TokenReview API
This demo simulates the Kubernetes TokenReview API pattern used in AgentCube
pkg/workloadmanager/auth.go for validating
ServiceAccount tokens and extracting namespace information.
1. ServiceAccount Token
Enter a Kubernetes ServiceAccount token or generate a demo token. The token will be validated using the TokenReview API pattern.
2. TokenReview API
Simulate the Kubernetes TokenReview API call. In production, this would call the actual Kubernetes API server.
TokenReview Response
Extracted Information
ServiceAccount Username Format
Kubernetes ServiceAccount tokens contain a username in a specific format that encodes the namespace and ServiceAccount name.
Example
Parsed
LRU Cache Simulation
AgentCube uses an LRU (Least Recently Used) cache to avoid repeated TokenReview API calls for the same token. This improves performance and reduces API server load.
Cached Tokens
ServiceAccount Token Structure
Kubernetes ServiceAccount tokens are JWT tokens with specific claims that identify the ServiceAccount and its namespace.
{
"header": {
"alg": "RS256",
"typ": "JWT"
},
"payload": {
"iss": "kubernetes/serviceaccount",
"kubernetes.io/serviceaccount/namespace": "default",
"kubernetes.io/serviceaccount/secret.name": "demo-sa-token-xyz",
"kubernetes.io/serviceaccount/service-account.name": "demo-sa",
"kubernetes.io/serviceaccount/service-account.uid": "abc-123-def",
"sub": "system:serviceaccount:default:demo-sa",
"exp": 9999999999
}
}
AgentCube Implementation Reference
This demo is based on the AgentCube WorkloadManager authentication:
- TokenReview API validation (validateServiceAccountToken)
- LRU cache for token validation (tokenCache)
- Username format parsing: system:serviceaccount:<ns>:<name>
- Namespace extraction from username
- Bearer token in Authorization header