You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by "michaeljmarshall (via GitHub)" <gi...@apache.org> on 2023/05/09 19:11:20 UTC

[GitHub] [pulsar-site] michaeljmarshall opened a new pull request, #570: Add documentation for KubernetesServiceAccountTokenAuthProvider

michaeljmarshall opened a new pull request, #570:
URL: https://github.com/apache/pulsar-site/pull/570

   ### Documentation
   
   - [x] `doc`
   
   This PR adds docs for https://github.com/apache/pulsar/pull/19888.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar-site] michaeljmarshall commented on pull request #570: Add documentation for KubernetesServiceAccountTokenAuthProvider

Posted by "michaeljmarshall (via GitHub)" <gi...@apache.org>.

michaeljmarshall commented on PR #570:
URL: https://github.com/apache/pulsar-site/pull/570#issuecomment-1546354146

   Thanks for your review @Anonymitaet. Yes, I rendered the changes locally to make sure they look right.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar-site] Anonymitaet commented on a diff in pull request #570: Add documentation for KubernetesServiceAccountTokenAuthProvider

Posted by "Anonymitaet (via GitHub)" <gi...@apache.org>.

Anonymitaet commented on code in PR #570:
URL: https://github.com/apache/pulsar-site/pull/570#discussion_r1189242545


##########
docs/functions-runtime-kubernetes.md:
##########
@@ -65,6 +65,58 @@ If the token you use to deploy the function has an expiration date, you may need
 
 :::
 
+### Enable Kubernetes Service Account Token Projection for Function Pod Authentication
+
+The `KubernetesServiceAccountTokenAuthProvider` uses [Service Account Token Volume Projections](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) to mount a token into the function's pod. The function worker and broker can verify this token using OpenID Connect. The primary benefit of this integration is that tokens have a short time to live, are managed by Kubernetes, and do not inherit the permission used to create the function.
+
+:::note
+This feature requires that the broker and the function worker are configured to use the `AuthenticationProviderOpenID`. Documentation to enable this provider can be found [here](security-openid-connect.md).

Review Comment:
   ```suggestion
   
   This feature requires that the broker and the function worker are configured to use the `AuthenticationProviderOpenID`. Documentation to enable this provider can be found [here](security-openid-connect.md).
   
   ```



##########
docs/functions-runtime-kubernetes.md:
##########
@@ -65,6 +65,58 @@ If the token you use to deploy the function has an expiration date, you may need
 
 :::
 
+### Enable Kubernetes Service Account Token Projection for Function Pod Authentication

Review Comment:
   ```suggestion
   ### Enable Kubernetes service account token projection for function pod authentication
   ```



##########
docs/functions-runtime-kubernetes.md:
##########
@@ -65,6 +65,58 @@ If the token you use to deploy the function has an expiration date, you may need
 
 :::
 
+### Enable Kubernetes Service Account Token Projection for Function Pod Authentication
+
+The `KubernetesServiceAccountTokenAuthProvider` uses [Service Account Token Volume Projections](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) to mount a token into the function's pod. The function worker and broker can verify this token using OpenID Connect. The primary benefit of this integration is that tokens have a short time to live, are managed by Kubernetes, and do not inherit the permission used to create the function.
+
+:::note
+This feature requires that the broker and the function worker are configured to use the `AuthenticationProviderOpenID`. Documentation to enable this provider can be found [here](security-openid-connect.md).

Review Comment:
   ```suggestion
   
   This feature requires that the broker and the function worker are configured to use the `AuthenticationProviderOpenID`. Documentation to enable this provider can be found [here](security-openid-connect.md).
   
   ```



##########
docs/functions-runtime-kubernetes.md:
##########
@@ -65,6 +65,58 @@ If the token you use to deploy the function has an expiration date, you may need
 
 :::
 
+### Enable Kubernetes Service Account Token Projection for Function Pod Authentication
+
+The `KubernetesServiceAccountTokenAuthProvider` uses [Service Account Token Volume Projections](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) to mount a token into the function's pod. The function worker and broker can verify this token using OpenID Connect. The primary benefit of this integration is that tokens have a short time to live, are managed by Kubernetes, and do not inherit the permission used to create the function.

Review Comment:
   ```suggestion
   The `KubernetesServiceAccountTokenAuthProvider` uses [Service Account Token Volume Projections](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) to mount a token into the function's pod. The function worker and broker can verify this token using OpenID Connect. The primary benefit of this integration is that tokens have a short time to live, are managed by Kubernetes, and do not inherit the permission used to create the function.
   ```



##########
docs/functions-runtime-kubernetes.md:
##########
@@ -65,6 +65,58 @@ If the token you use to deploy the function has an expiration date, you may need
 
 :::
 
+### Enable Kubernetes Service Account Token Projection for Function Pod Authentication
+
+The `KubernetesServiceAccountTokenAuthProvider` uses [Service Account Token Volume Projections](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) to mount a token into the function's pod. The function worker and broker can verify this token using OpenID Connect. The primary benefit of this integration is that tokens have a short time to live, are managed by Kubernetes, and do not inherit the permission used to create the function.
+
+:::note
+This feature requires that the broker and the function worker are configured to use the `AuthenticationProviderOpenID`. Documentation to enable this provider can be found [here](security-openid-connect.md).
+:::
+
+Here is an example configuration for the function worker to utilize this feature:
+
+```yaml
+functionAuthProviderClassName: "org.apache.pulsar.functions.auth.KubernetesServiceAccountTokenAuthProvider"
+kubernetesContainerFactory:
+  kubernetesFunctionAuthProviderConfig:
+    # Required
+    serviceAccountTokenExpirationSeconds: "600"
+    serviceAccountTokenAudience: "the-required-audience"
+    # Optional
+    brokerClientTrustCertsSecretName: "my-secret-pulsar-broker-client-trust-certs"
+```
+
+The function pod deploys with the default Kubernetes Service Account for the target namespace. Because the service account name maps to the `sub` claim on the JWT projected into the pod's filesystem, all pods with the same service account will have the same permission within Pulsar. There is ongoing work to improve this integration.

Review Comment:
   ```suggestion
   The function pod deploys with the default Kubernetes Service Account for the target namespace. Because the service account name maps to the `sub` claim on the JWT projected into the pod's filesystem, all pods with the same service account will have the same permission within Pulsar. There is ongoing work to improve this integration.
   ```
   
   Is Kubernetes Service Account a proper noun?



##########
docs/functions-runtime-kubernetes.md:
##########
@@ -65,6 +65,58 @@ If the token you use to deploy the function has an expiration date, you may need
 
 :::
 
+### Enable Kubernetes Service Account Token Projection for Function Pod Authentication
+
+The `KubernetesServiceAccountTokenAuthProvider` uses [Service Account Token Volume Projections](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) to mount a token into the function's pod. The function worker and broker can verify this token using OpenID Connect. The primary benefit of this integration is that tokens have a short time to live, are managed by Kubernetes, and do not inherit the permission used to create the function.
+
+:::note
+This feature requires that the broker and the function worker are configured to use the `AuthenticationProviderOpenID`. Documentation to enable this provider can be found [here](security-openid-connect.md).
+:::
+
+Here is an example configuration for the function worker to utilize this feature:
+
+```yaml
+functionAuthProviderClassName: "org.apache.pulsar.functions.auth.KubernetesServiceAccountTokenAuthProvider"
+kubernetesContainerFactory:
+  kubernetesFunctionAuthProviderConfig:
+    # Required
+    serviceAccountTokenExpirationSeconds: "600"
+    serviceAccountTokenAudience: "the-required-audience"
+    # Optional
+    brokerClientTrustCertsSecretName: "my-secret-pulsar-broker-client-trust-certs"
+```
+
+The function pod deploys with the default Kubernetes Service Account for the target namespace. Because the service account name maps to the `sub` claim on the JWT projected into the pod's filesystem, all pods with the same service account will have the same permission within Pulsar. There is ongoing work to improve this integration.
+
+Here is a sample JWT generated by this feature running in EKS (with some information redacted):
+
+```json
+{
+  "aud": [
+    "your-audience"
+  ],
+  "exp": 1710969822,
+  "iat": 1679433822,
+  "iss": "https://oidc.eks.us-east-2.amazonaws.com/id/some-id",
+  "kubernetes.io": {
+    "namespace": "pulsar-function",
+    "pod": {
+      "name": "function-pod-0",
+      "uid": "fbac8f9e-a47d-4ad7-a8f0-cc9a65d1331c"
+    },
+    "serviceaccount": {
+      "name": "default",
+      "uid": "5964f9d3-3dce-467c-8dbe-d0f463063d7a"
+    },
+    "warnafter": 1679437429
+  },
+  "nbf": 1679433822,
+  "sub": "system:serviceaccount:pulsar-function:default"
+}
+```
+
+In order to grant permission to this function pod, you will grant permissions to the role claim, which is the `sub` claim by default, `system:serviceaccount:pulsar-function:default`.

Review Comment:
   ```suggestion
   To grant permission to this function pod, you need to grant permissions to the role claim, which is the `sub` claim by default, `system:serviceaccount:pulsar-function:default`.
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar-site] michaeljmarshall merged pull request #570: Add documentation for KubernetesServiceAccountTokenAuthProvider

Posted by "michaeljmarshall (via GitHub)" <gi...@apache.org>.

michaeljmarshall merged PR #570:
URL: https://github.com/apache/pulsar-site/pull/570


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org