feat(Grafana): K8s serviceaccount token as authorization .spec.client.useKubeAuth
#2137
Conversation
github-actions
bot
added
documentation
Baarsgaard
force-pushed
the
feat_k8s_serviceaccont_auth
branch
from
c62ac14 to
6f7a946
Compare
Baarsgaard
force-pushed
the
feat_k8s_serviceaccont_auth
branch
from
6f7a946 to
9fc4378
Compare
Baarsgaard
force-pushed
the
feat_k8s_serviceaccont_auth
branch
from
b3fd0ff to
9f29f8f
Compare
Baarsgaard
requested review from
nissessenap,
weisdd,
ishanjainn,
theSuess,
hubeadmin and
pb82
as code owners
|
|
||
| // TODO fetch JWKS from https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/openid/v1/jwks | ||
| // Then verify token using the keys | ||
| err = t.UnsafeClaimsWithoutVerification(&claims) |
There was a problem hiding this comment.
Should we just omit token validation? - Even though it's relatively easy to implement basic token validation (e.g. using NewProvider + Verifier from github.com/coreos/go-oidc/v3/oidc), it's up to Grafana to do the actual token validation / authorization (like with any other Grafana credentials that the operator uses), the role of the operator here is just to fetch the token from the file and pass it to Grafana when making API requests. - It would also simplify the unit test as you would only need to check that the Authorization header is set to the contents of the file. WDYT?
(We can discuss it further during the meeting)
There was a problem hiding this comment.
Oh yeah, I forgot that TODO comment!
We already discussed this in a weekly meeting and agreed to not validate the token aside from reading the expiration!
I will remove that comment/Change it to the reason why we do not validate the token.
And potentially simplify the test!
There was a problem hiding this comment.
Yeah, I think it was @theSuess who suggested that, I just wanted to surface that conversation here as the code was still in place. We'll wait for further updates then :)
There was a problem hiding this comment.
Looking at it again, since the token lifetime is fully configurable, it's probably a good idea to read the expiration but not validate the token: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#launch-a-pod-using-service-account-token-projection
This allows us to dynamically set the cache timeout of the token if someone decides to shorten the lifetime.
The discussion we had last time was verifying the token signature with the JWKS downloaded from the kubernetes API, which we decided was not worth it?
Use the k8s ServiceAccount token projected in at
/var/run/secrets/kubernetes.io/serviceaccount/tokenas authentication to Grafana instances.Users can configure [auth.jwt] to accept K8s ServiceAccounts and assign them roles depending on the name, namespace, etc in the JWT token and entirely disable the default Grafana admin account.
TODO
Maybe as a separate PR so it does not show in the docs until released with
v5.20.0tls_client_caandjwk_set_bearer_token_filegrafana#109095Questions:
useKubeAuthanduseJWTAuthare both a bit vagueWould help a lot for usability as the the full setup can be handled in the
GrafanaCR