Skip to content
This repository has been archived by the owner on Apr 24, 2023. It is now read-only.

Add sidecar authentication scheme for k8s progress updates #1367

Open
DaoWen opened this issue Jan 21, 2020 · 0 comments
Open

Add sidecar authentication scheme for k8s progress updates #1367

DaoWen opened this issue Jan 21, 2020 · 0 comments
Labels
enhancement k8s Related to Cook on Kubernetes progress-reporting

Comments

@DaoWen
Copy link
Contributor

DaoWen commented Jan 21, 2020

Is your feature request related to a problem? Please describe.

The /progress API for POSTing job instance progress updates from k8s sidecars is initially being implemented unauthenticated. This obviously isn't ideal.

Describe the solution you'd like

We should inject some sort of unique auth token into our k8s sidecars which can be used for authn+authz on the /progress endpoint; i.e., the fact that you have the token implies that you are the sidecar (or at least that you have access to it), and therefore you have permission to post progress updates for the corresponding job instance.

Describe alternatives you've considered

  • Leave it unauthenticated. Not ideal, but not a huge security hole either.
  • Do full authentication. This might cause progress updates to trigger API rate limiting. Also requires real auth credentials (tokens or tickets) to be available in the sidecar.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement k8s Related to Cook on Kubernetes progress-reporting
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dposada @DaoWen