JSON Web Token (JWT) Authentication

Many 3rd party integrations available for Kubernetes, such as GitLab and HashiCorp Vault, involve giving an external process access to the Kubernetes API using a native Kubernetes Service Account token for authentication.

In Rancher v2.9.0 and later, service accounts on downstream clusters can now authenticate through a JSON web token (JWT) using the Rancher authentication proxy. In Rancher versions earlier than v2.9.0, only Rancher-issued tokens were supported.

To enable this feature, follow these steps:

  1. In the upper left corner, click ☰ > Cluster Management.

  2. Click Advanced to open the dropdown menu.

  3. Select JWT Authentication.

  4. Click the checkbox for the cluster you want to enable JWT authentication for, and click Enable. Alternatively, you can click > Enable.