Kubernetes Native Authentication
Kubernetes native authentication defines a flow where the Armada Executor cluster’s in-built token handling is used to authenticate the Executor requesting jobs from the Armada Server.
Authentication Flow
- The Executor requests a temporary Service Account Token from its own cluster’s Kubernetes API using TokenRequest
- The Executor sends this Token to the Server in an Authorization Header.
- The Server decodes the token to read the KID (Kubernetes Key ID).
- The Server swaps for the Callback URL of the executor’s API server. The KID to URL mapping is stored in a prior generated ConfigMap or Secret.
- The Server uses the URL to call the Executor Cluster’s TokenReview endpoint.
- On successful review the Server caches the Token for its lifetime, on unsuccessful review the Token is cached for a configuration defined time.
Setup
Kid-mapping ConfigMap
The Armada Server must have a ConfigMap in its namespace with the following format for entries:
data:
"<CLUSTER_KID>": "<EXECUTOR_CLUSTER_CALLBACK_URL>"
...
This ConfigMap may be mounted anywhere on the Server’s Pod.
Server configuration
Three things need to be configured in the Server Config:
- The location of the KID-mapping config map mounted on the Pod
- The retry timeout for failed Tokens
- The full service account name in the permissionGroupMapping
Example Config:
applicationConfig:
auth:
kubernetesAuth:
kidMappingFileLocation: "/kid-mapping/"
invalidTokenExpiry: 60
permissionGroupMapping:
execute_jobs: ["system:serviceaccount:armada:armada-executor"]
Client Configuration
For the Executor authentication you will need to specify:
- The desired token Expiry
- The Executor’s Namespace and ServiceAccount
Example Config:
applicationConfig:
kubernetesNativeAuth:
expiry: 3600
namespace: "armada"
serviceAccount: "armada-executor"