Article: Authenticating microservices requests in Kubernetes #327
Conversation
src/microsAuthentication/content.md
Outdated
| Now, go back to the previous terminal window with the API service and issue the same request again: | ||
|
|
||
| ```terminal|command=1|title=bash | ||
| curl <insert URL from above> |
There was a problem hiding this comment.
If we don't amend the Service earlier, this should container an example of the output above instead of <>
src/microsAuthentication/content.md
Outdated
| You can issue a request with: | ||
|
|
||
| ```terminal|command=1|title=bash | ||
| curl <insert URL from above> |
There was a problem hiding this comment.
If we don't amend the Service earlier, this should container an example of the output above instead of <>
|
@danielepolencic it looks like you have made most of the changes you were thinking of - I made a few more edits. I am not sure why the article isn't showing up in the preview. |
src/microsAuthentication/content.md
Outdated
| ``` | ||
|
|
||
| In this case, the token you will use to authenticate to the API server as well as verify the status | ||
| of is the same. Thus, the curl command to run in the pod shell session is: |
There was a problem hiding this comment.
Is this sentence necessary? When is the token not the same?
I'm a bit confused since the assumption is that I need only 1 token.
There was a problem hiding this comment.
@danielepolencic Consider the the 2nd demo - where the secret store is going to verify whether the token presented to it via the calling service (API) is legit or not. The secret store uses its own SA token to authenticate itself to the API when it makes a TokenReview request to validate the API token. In that case, the token being verified is different from the token being used to authenticate itself.
There was a problem hiding this comment.
I'm tempted to explain that when we get to it.
It's easier if we make the content progressively more complex than presenting all the complexity upfront.
Thoughts?
src/microsAuthentication/content.md
Outdated
|
|
||
| You can solve the above problems by implementing solutions such as mutual TLS or using a JWT based solution with a central authority server. | ||
|
|
||
| However, in Kubernetes, you can use the service account token volume projection feature to create time-bound and audience-specific service account tokens which do not persist in the cluster store. |
There was a problem hiding this comment.
which do not persist in the cluster store
Not sure what this means. the two features listed do not imply that the data is not stored?
|
|
||
| The Kubernetes API server performs the role of the central authority server and you don't have to worry about any of the internal details of expiring the tokens and more. | ||
|
|
||
| This feature was introduced in Kubernetes 1.12 and gained further improvements in 1.13 and provides a more secure alternative to workload-specific service accounts. |
There was a problem hiding this comment.
Missing link to verify the claim. Official link to the doc would be nice.
|
|
||
| ```go | ||
| result, err := clientset.AuthenticationV1().TokenReviews().Create(ctx, &tr, metav1.CreateOptions{}) | ||
| ``` |
There was a problem hiding this comment.
You broke the code line-by-line.
The idea is good, but I think it could be refactored to provide more context.
Keep the line by line, but should the snippet truncated in full.
Then use highlight in the code snippet to highlight specific parts.
In that way you offer context, but you can explain individual parts.
src/microsAuthentication/content.md
Outdated
| kube-system system:persistent-volume-provisioner 2020-11-20T22:04:53Z | ||
| ``` | ||
|
|
||
| In the following example, you will use the `system:auth-delegator` role which has all the permission you need to call the Token Review API. |
There was a problem hiding this comment.
There's no system:auth-delegator when I list the roles. Not even in the table above. How did you create that?
|
A few general notes:
|
src/microsAuthentication/content.md
Outdated
|
|
||
| You're issueing a request using your own account (cluster admin) and validating the token for a Service account. | ||
|
|
||
| It's easier to explain, and we skip the part where we connect to the API. The same part is skipped in the Go client too (it's part of the SDK). |
There was a problem hiding this comment.
Nice find! I think i see your point here - not showing you to access the API directly.
How about we use kubectl to show the token review operation but use the token for the service token instead via the --token argument?
In addition can we still keep the curl bit?
There was a problem hiding this comment.
Could you show me an example?
There was a problem hiding this comment.
How about we use kubectl to show the token review operation but use the token for the service token instead via the --token argument?
# TODO: Get the token from the secret object
kubectl apply -f t.yaml --token <token from above>
Completely agree with this. So should we just use authentication throughout? |
|
|
@danielepolencic i made a few updates related to authn/authz what do you think? |
danielepolencic
force-pushed
the
micro_authentication
branch
from
4a9fb0d to
42378c6
Compare
Address review comment related to exposing the services from the manifest itself.
amitsaha
force-pushed
the
micro_authentication
branch
from
87f809d to
c187d92
Compare
Preview: https://deploy-preview-327--learnk8s.netlify.app/microservices-authentication-kubernetes