Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

K8SSAND-799 ⁃ Add support for service account token authentication to remote clusters #83

Closed
jsanda opened this issue Aug 14, 2021 · 3 comments · Fixed by #89
Closed
Assignees

Comments

@jsanda
Copy link
Contributor

jsanda commented Aug 14, 2021

In #82 I reported authentication issues with GKE. The OAuth token expires every hour and Google Cloud Tools is needed to renew it. We will face similar problems with other cloud providers. An alternative solution that is cloud provider-agnostic is to use service account tokens from the remote clusters. An approach was described in this article.

I propose that we create a script that does the following:

  • Get the service account token from the k8ssandra-operator service account in the remote cluster
  • Get the CA cert from the k8ssandra-operator service account in the remote cluster
  • Create a kubeconfig for the remote cluster
  • Create a kubeconfig secret in the control plane cluster
  • Create a ClientConfig in the control plane cluster. It should reference the secret.

┆Issue is synchronized with this Jira Task by Unito
┆Epic: Multi-Cluster Deployment
┆Fix Versions: k8ssandra-operator-1.0.0-alpha.1
┆Issue Number: K8SSAND-799
┆Priority: Medium

@arianvp
Copy link

arianvp commented Aug 14, 2021

Note that in future Kubernetes versions static service account secrets will probably be phased out in place of ephemeral ones that are auto-renewed. Those service accounts will not have accompanying secrets anymore that don't expire. Instead service account token is made on demand and mounted directly into the pod. (And replaced when it expires)

https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md

kubernetes/enhancements#542

I think the plan is to enable this behaviour by default in 1.22.

This would mean you'd still run into expiring credential problems.

@jsanda
Copy link
Contributor Author

jsanda commented Aug 14, 2021

Thanks for the references @arianvp. I need to read through those docs to better understand what is involved.

This would mean you'd still run into expiring credential problems.

As long as I can handle the expiration and renewal via k8s APIs then it should be fine. The expiration problem I ran into required either have gcloud installed in the operator image or making calls to GCP APIs. We would likely have to do something similar for each cloud provider.

@jsanda
Copy link
Contributor Author

jsanda commented Aug 15, 2021

The KEP mentions this about expiration:

A volume plugin implemented in the kubelet will project a service account token sourced from the TokenRequest API into volumes created from ProjectedVolumeSources. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.

It looks like there is a mechanism to handle expiration, but this wouldn't apply to our use case of using the token out of cluster. We will need to sync the tokens, but I don't know that using the k8s api is the best way to do that. If for some reason the token does expire before it can be synced then we might be stuck in a bad state.

@sync-by-unito sync-by-unito bot changed the title Add support for service account token authentication to remote clusters K8SSAND-799 ⁃ Add support for service account token authentication to remote clusters Nov 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants