-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add BoundServiceAccountToken
trigger authentication type
#6272
base: main
Are you sure you want to change the base?
Conversation
538290e
to
ea01caa
Compare
67740fd
to
48ccb5f
Compare
187bcfb
to
44f1a81
Compare
44f1a81
to
542d918
Compare
I know in the community meeting we concluded on a range for expiry as 1h-6h, but is there a reason why we shouldn't allow people to use lower expiries like 10m? |
IMO, there's not a lot of security gained by having 10m vs 1h, and 1h decreases the frequency of new token requests. I don't feel super strongly about it though. In my opinion, we should either hard-code it to 1h or should default to 1h and make it globally-configurable (like via a command-line flag) so that the cluster admin can make the decision about token lifetime for their cluster. |
542d918
to
a2e587b
Compare
Okay I've hardcoded the expiry to 1 hour. If people have qualms about not being able to configure it, I can include a commit to change that. I think this is ready for further review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should default to 1h and make it globally-configurable (like via a command-line flag) so that the cluster admin can make the decision about token lifetime for their cluster.
I like this, I think it makes sense to make it configurable. I think that env variable (or flag) would be great: https://keda.sh/docs/2.16/operate/cluster/#restrict-secret-access
Also, we should definitely consider e2e test for this: https://github.com/kedacore/keda/tree/main/tests/secret-providers
E2e test in 0c9444b and configurable token global expiry in b1c68d8 The e2e test depends on this new image to be merged: kedacore/test-tools#186 |
0c9444b
to
4f3c96f
Compare
/run-e2e trigger_auth_bound_service_account_token_test |
Signed-off-by: Max Cao <[email protected]>
Signed-off-by: Max Cao <[email protected]>
Signed-off-by: Max Cao <[email protected]>
Signed-off-by: Max Cao <[email protected]>
Signed-off-by: Max Cao <[email protected]>
Signed-off-by: Max Cao <[email protected]>
Signed-off-by: Max Cao <[email protected]>
Signed-off-by: Max Cao <[email protected]>
Signed-off-by: Max Cao <[email protected]>
…nv vars Signed-off-by: Max Cao <[email protected]>
Signed-off-by: Max Cao <[email protected]>
4f3c96f
to
2a7f28f
Compare
…ect merged ghcr test image Signed-off-by: Max Cao <[email protected]>
2a7f28f
to
42ea3fb
Compare
Fixed merge conflict and updated the new test image ref to point to the ghcr image in 42ea3fb. |
/run-e2e secret-providers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome feature and great job!!!!
Provide a description of what has been changed
Implements a new auth provider which allows users to provide authentication using a Kubernetes service account's credentials without creating an explicit long-lived secret.
You could already inject Kubernetes service account tokens in triggerAuth refs before by using theSecret
trigger auth type, but instead of manually embedding it in a long-lived secret, you can now directly specify the service account instead, and it will embed the sa token in an annotation in the triggerAuth object, and the keda-operator will autorotate the token if the expiry is at least 50% stale. You can specify which parameter you pull into the trigger withparameter
, the serviceAccountName in the same namespace as theTriggerAuth
CR, and the expiry as a duration. If you use aClusterTriggerAuth
, note that this works similarly to the Secret trigger auth, and the service account then has to be in theKEDA_CLUSTER_OBJECT_NAMESPACE
namespace.This for example can allow keda to scale a workload based on a prometheus instance that requires kubernetes rbac auth inside the cluster without creating a long-lived secret that can potentially be exposed and unrevokable unless you delete the serviceaccount itself. You must specify the service account name (same namespace as the object), the authentication parameter. The token expiry is hardcoded to 1 hour.
Checklist
Fixes: #6136