-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support bound service account tokens #6136
Comments
Hello |
Thanks for your response! To clarify, the use case that spawned this idea was autoscaling an Ingress Controller in OpenShift and in that context, we authenticate with Thanos via service accounts: link for more context. In this case our "backend" does support k8s (openshift) api verified tokens, but we are forced to create a long-lived service account secret. The proposal is to replace this manual process with something more aligned with short-lived bound service account tokens, and I'm very open to hearing about alternative ideas on how to support this as a first step towards best practices. Is this something that should be worked on, and what do you think? |
Sorry, I missed this issue. I think it sounds reasonable, I am curious to hear if there any potential security issues or something that should concern us in general. |
Unfortunately the only objects you can bind the tokens to (as of now), are to pods and secrets. Since we are sort of trying to eliminate the use of secrets, and it doesn't make sense to bind to any pods, what if we "bind" generated tokens to a TriggerAuth that implements the However, a user who can get/list |
Doing our own object binding won't prevent an attacker who has obtained the token from using it until expiration, even if the corresponding TriggerAuth is removed, so I'm not sure that there is enough benefit in doing our own explicit binding. IMO, we should bind it to the keda-operator pod which requested the token and force a short expiration. I think we shouldn't expose the expiration time in our API, since the token is requested directly by KEDA and KEDA is its only user. If we select an expiration like 1 hour, then if the referencing TriggerAuth is removed, the token would not be renewed by us after its expiration. |
Proposal
Currently, there exists the normal
Secret
Auth Provider which you can use to reference an embedded token for your scaler. Since Kubernetes 1.22, there is the Bound service account token feature that allows short-lived tokens to be mounted as projectedVolumes to your pods vs. long lived explicit tokens that you manually embed in a Secret.I propose that Keda should support bound service account tokens as a new AuthenticationProvider (maybe called
BoundServiceAccountToken
or something).I'm not exactly sure how this would be implemented but I was thinking that users would reference a ServiceAccount to create the token from, Keda calls the k8s TokenRequest API, and embeds that short-lived token in its own Secret. We would like to eliminate secrets completely here, but I'm not sure how we would store the state of an existing token otherwise. Very open to discussions and suggestions.
Use-Case
This would remove the extra step of the user explicitly creating a secret for a long-lived service account token and move away from legacy long-lived API tokens towards the k8s recommended TokenRequest API instead.
Here's a proof of concept of what I was thinking:
parameter
: identical toSecret
andConfigMap
auth providerserviceAccountName
: name of the serviceAccount you want to generate the token fromsecretName
: name of a secret you want to store the short lived token inexpiry
: when the token expiresIs this a feature you are interested in implementing yourself?
Yes
Anything else?
The docs show the old way that you can reference a long-lived token (which involves creating your own secret) https://keda.sh/docs/2.15/scalers/metrics-api/#example
The text was updated successfully, but these errors were encountered: