feat: support BoundServiceAccountToken triggerAuth provider
#701
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maxcao13
force-pushed
the
bound-service-account-token
branch
from
9a06a5d to
923b1d2
Compare
JorTurFer
reviewed
Jan 22, 2025
Member
JorTurFer
left a comment
JorTurFer
left a comment
There was a problem hiding this comment.
As default, KEDA doesn't have permission in the RBAC to create these tokens (and not granting it as default is worth IMHO), but maybe we could add an option to include the required permissions if users enable them (requiring explicit activation to include the required extra RBAC)
7 tasks
maxcao13
force-pushed
the
bound-service-account-token
branch
from
923b1d2 to
bac167e
Compare
Contributor
Author
|
Added a helm value of I'm sort of new to writing helm charts, so please let me know if a restructure or renaming is needed here. |
zroubalik
reviewed
Feb 6, 2025
joelsmith
reviewed
Feb 11, 2025
maxcao13
force-pushed
the
bound-service-account-token
branch
from
bac167e to
3fe5b3c
Compare
maxcao13
changed the title
BoundServiceAccountToken triggerAuth providerBoundServiceAccountToken triggerAuth provider
JorTurFer
reviewed
Feb 13, 2025
Signed-off-by: Max Cao <[email protected]>
maxcao13
force-pushed
the
bound-service-account-token
branch
from
3fe5b3c to
dcb6d97
Compare
Contributor
Author
|
If people want to test this, I created this yaml file and applied it to my kind cluster (it pretty much follows the bound-service-account-e2e test I wrote in the main repo). If you don't want to do all that, you can just add an item to the # values.yaml
permissions:
operator:
restrict:
serviceAccountTokenCreationRoles:
- name: mysa
namespace: default$ kubectl create sa mysa -n default
serviceaccount/mysa created
$ kubectl auth can-i create serviceaccount/mysa --subresource=token --as system:serviceaccount:keda:keda-operator -n default
yesIf you want to test the bound service account token feature as a whole with helm:
apiVersion: v1
kind: Namespace
metadata:
name: myproject
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mysa
namespace: myproject
---
apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
name: bound-trigger
namespace: myproject
spec:
boundServiceAccountToken:
- parameter: token
serviceAccountName: mysa
---
### metrics api-like scale resource
apiVersion: apps/v1
kind: Deployment
metadata:
name: bound-metrics-server
namespace: myproject
labels:
app: bound-metrics-server
spec:
replicas: 1
selector:
matchLabels:
app: bound-metrics-server
template:
metadata:
labels:
app: bound-metrics-server
spec:
containers:
- name: metrics
image: ghcr.io/kedacore/tests-bound-service-account-token:latest
ports:
- containerPort: 8080
imagePullPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
name: bound-metrics-server
namespace: myproject
spec:
selector:
app: bound-metrics-server
ports:
- port: 8080
targetPort: 8080
---
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
name: myboundscaledobject
namespace: myproject
labels:
app: bound-mydeploy
spec:
scaleTargetRef:
name: bound-mydeploy
minReplicaCount: 3
maxReplicaCount: 20
cooldownPeriod: 1
fallback:
failureThreshold: 3
replicas: 0
triggers:
- type: metrics-api
metadata:
targetValue: "5"
activationTargetValue: "20"
url: "http://bound-metrics-server.myproject.svc.cluster.local:8080/api/value"
valueLocation: 'value'
authMode: "bearer"
authenticationRef:
name: bound-trigger
---
### deployment we are scaling
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: bound-mydeploy
name: bound-mydeploy
namespace: myproject
spec:
selector:
matchLabels:
app: bound-mydeploy
replicas: 0
template:
metadata:
labels:
app: bound-mydeploy
spec:
containers:
- name: nginx
image: nginxinc/nginx-unprivileged
---
### Note that these are the rbacs required for the mysa service account to authenticate with the bound-metrics-server container api
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: bound-metrics-server
rules:
- nonResourceURLs:
- /api/value
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: bound-metrics-server
subjects:
- kind: ServiceAccount
name: mysa
namespace: myproject
roleRef:
kind: ClusterRole
name: bound-metrics-server
apiGroup: rbac.authorization.k8s.io
---
### This is the rbac required for the metrics-deployment to be able to request token reviews and subject access reviews
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: token-review-and-subject-access-review-role
rules:
- apiGroups:
- "authentication.k8s.io"
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: token-review-and-subject-access-review-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: token-review-and-subject-access-review-role
subjects:
- kind: ServiceAccount
name: default
namespace: myproject
and upgraded the chart.
$ oc get deploy -n myproject
NAME READY UP-TO-DATE AVAILABLE AGE
bound-metrics-server 1/1 1 1 55m
bound-mydeploy 3/3 3 3 55mNote that, I also had to change the helm keda images to point to |
maxcao13
force-pushed
the
bound-service-account-token
branch
from
dcb6d97 to
e99ad04
Compare
The array allows users to supply KEDA with the names and namespaces of service accounts that they would like the keda-operator to request tokens from. These service account tokens are then used in turn for the boundServiceAccountToken trigger source. Signed-off-by: Max Cao <[email protected]>
maxcao13
force-pushed
the
bound-service-account-token
branch
from
e99ad04 to
af77d3c
Compare
JorTurFer
approved these changes
Mar 3, 2025
Member
There was a problem hiding this comment.
Nice change to limit the scope of the permission, thanks a lot for the effort!
The only additions that I'd add are:
- The option to not set the service account name and just the namespace, in case of cluster admins want to allow to assume tokens of any SA in a given namespace
- another field to enable the permission at cluster level if users explicitly set it as desired (for example,
allowAllServiceAccountTokenCreationto register a cluster role instead of role by role)
Said this, the current approach is nice and we can update it in future PRs if there is demand for these things
zroubalik
approved these changes
Mar 26, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updates CRDs to support
BoundServiceAccountTokentrigger auth provider/source. Also adds a helm value of type array calledserviceAccountTokenCreationRoleswhich allows you to add objects ofnameandnamespacecorresponding to service accounts in the cluster that you'd like thekeda-operatorto be able to request service account tokens from.Checklist
Related to kedacore/keda#6272