Skip to main content
Version: 18.x (unreleased)

TeleportWorkloadIdentityV1

This guide is a comprehensive reference to the fields in the TeleportWorkloadIdentityV1 resource, which you can apply after installing the Teleport Kubernetes operator.

resources.teleport.dev/v1

apiVersion: resources.teleport.dev/v1

FieldTypeDescription
apiVersionstringAPIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kindstringKind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadataobject
specobjectWorkloadIdentity resource definition v1 from Teleport

spec

FieldTypeDescription
rulesobjectThe rules which are evaluated before the WorkloadIdentity can be issued.
spiffeobjectConfiguration pertaining to the issuance of SPIFFE-compatible workload identity credentials.

spec.rules

FieldTypeDescription
allow[]objectA list of rules used to determine if a WorkloadIdentity can be issued. If none are provided, it will be considered a pass. If any are provided, then at least one must pass for the rules to be considered passed.

spec.rules.allow items

FieldTypeDescription
conditions[]objectThe conditions that must be met for this rule to be considered passed. Mutually exclusive with expression.
expressionstringAn expression written in Teleport's predicate language that must evaluate to true for this rule to be considered passed. Mutually exclusive with conditions.

spec.rules.allow items.conditions items

FieldTypeDescription
attributestringThe name of the attribute to evaluate the condition against.
eqobjectThe attribute casted to a string must be equal to the value.
inobjectThe attribute casted to a string must be in the list of values.
not_eqobjectThe attribute casted to a string must not be equal to the value.
not_inobjectThe attribute casted to a string must not be in the list of values.

spec.rules.allow items.conditions items.eq

FieldTypeDescription
valuestringThe value to compare the attribute against.

spec.rules.allow items.conditions items.in

FieldTypeDescription
values[]stringThe list of values to compare the attribute against.

spec.rules.allow items.conditions items.not_eq

FieldTypeDescription
valuestringThe value to compare the attribute against.

spec.rules.allow items.conditions items.not_in

FieldTypeDescription
values[]stringThe list of values to compare the attribute against.

spec.spiffe

FieldTypeDescription
hintstringA freeform text field which is provided to workloads along with a credential produced by this WorkloadIdentity. This can be used to provide additional context that can be used to select between multiple credentials.
idstringThe path of the SPIFFE ID that will be issued to the workload. This should be prefixed with a forward-slash ("/"). This field supports templating using attributes.
jwtobjectConfiguration specific to JWT-SVIDs.
x509objectConfiguration specific to X509-SVIDs.

spec.spiffe.jwt

FieldTypeDescription
extra_claimsobjectAdditional claims that will be added to the JWT.
maximum_ttlstringControl the maximum TTL of JWT-SVIDs issued using this WorkloadIdentity. If a JWT-SVID is requested with a TTL greater than this value, then the returned JWT-SVID will have a TTL of this value. Defaults to 24 hours. The maximum this value can be set to is 24 hours.

spec.spiffe.x509

FieldTypeDescription
dns_sans[]stringThe DNS Subject Alternative Names (SANs) that should be included in an X509-SVID issued using this WorkloadIdentity. Each entry in this list supports templating using attributes.
maximum_ttlstringControl the maximum TTL of X509-SVIDs issued using this WorkloadIdentity. If a X509-SVID is requested with a TTL greater than this value, then the returned X509-SVID will have a TTL of this value. Defaults to 24 hours. The maximum this value can be set to is 14 days.
subject_templateobjectUsed to configure the Subject Distinguished Name (DN) of the X509-SVID. In most circumstances, it is recommended to prefer relying on the SPIFFE ID encoded in the URI SAN. However, the Subject DN may be needed to support legacy systems designed for X509 and not SPIFFE/WIMSE. If not provided, the X509-SVID will be issued with an empty Subject DN.

spec.spiffe.x509.subject_template

FieldTypeDescription
common_namestringCommon Name (CN) - 2.5.4.3 If empty, the RDN will be omitted from the DN.
organizationstringOrganization (O) - 2.5.4.10 If empty, the RDN will be omitted from the DN.
organizational_unitstringOrganizational Unit (OU) - 2.5.4.11 If empty, the RDN will be omitted from the DN.