EXC

Workload Identity

Every cluster you create on Excloud Kubernetes is its own OIDC issuer. Kubernetes signs ServiceAccount tokens with a cluster-specific private key; the matching JWKS is published at a public, unauthenticated URL. Any IdP that supports OIDC federation (AWS IAM, GCP Workload Identity Federation, Vault, Auth0, and Excloud IAM service accounts in the near future) can be told to trust that URL and accept the tokens as proof of identity.

End result: your pods get short-lived, per-workload credentials with no long-lived secret mounted into the container.

Issuer URL

https://k8sapi.excloud.in/c/<cluster_id>/.well-known/openid-configuration
https://k8sapi.excloud.in/c/<cluster_id>/openid/v1/jwks

Both URLs are public; you give them to whatever IdP needs to verify a token issued by your cluster.

<cluster_id> is the numeric cluster ID from exc k8s cluster list.

How a pod gets a token

Configure a projected ServiceAccount token volume in the pod spec:

apiVersion: v1
kind: Pod
metadata:
  name: my-app
spec:
  serviceAccountName: app
  containers:
    - name: app
      image: my-app:latest
      volumeMounts:
        - name: token
          mountPath: /var/run/secrets/tokens
  volumes:
    - name: token
      projected:
        sources:
          - serviceAccountToken:
              audience: <audience-string>
              expirationSeconds: 3600
              path: token

Kubernetes drops a JWT at /var/run/secrets/tokens/token, refreshes it before expiry, and signs it with the cluster’s OIDC key. The audience is whatever the receiving IdP expects.

Common federation targets

Excloud IAM (service-account exchange)

Bind a Kubernetes ServiceAccount to an Excloud service account via your IdP federation (rolling out). Until that’s GA, mount an API key from Secrets into the pod.

AWS

Set up an IAM OIDC identity provider with the issuer URL above, then write a trust policy on the IAM role that accepts sub: system:serviceaccount:<namespace>:<sa-name> from that issuer.

Vault

Configure Vault’s Kubernetes auth method with the issuer URL, then map ServiceAccounts to Vault roles.

Verifying

From a pod:

cat /var/run/secrets/tokens/token | cut -d. -f2 | base64 -d 2>/dev/null

You should see a JWT payload with iss matching the issuer URL above and sub set to system:serviceaccount:<namespace>:<sa>.

From outside:

curl https://k8sapi.excloud.in/c/$CLUSTER_ID/.well-known/openid-configuration

Should return a JSON document including issuer, jwks_uri, and response_types_supported.

Limits

  • Tokens expire when the projected volume says they do (default 1h). Set expirationSeconds appropriately for your workload.
  • Cluster OIDC keys rotate when the cluster is recreated. Federation trust is bound to the issuer URL, not the key, so consumers transparently pick up the new JWKS.
  • The issuer URL is per-cluster; you cannot share a single trust policy across clusters. Re-add federation for each cluster you create.
Prev
Quickstart
Next
Quickstart