Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add bound service account token e2e image #186

Merged
merged 1 commit into from
Dec 15, 2024
Merged

feat: add bound service account token e2e image #186

merged 1 commit into from
Dec 15, 2024

Conversation

maxcao13
Copy link
Contributor

@maxcao13 maxcao13 commented Dec 11, 2024
edited
Loading

This is an e2e image that is needed for a new e2e test for the new BoundServiceAccountToken trigger auth source in kedacore/keda#6272

The server requires to be run in a k8s environment. Here's an example:

Assuming image is built as repo.io/bsat:tag:

  1. kubectl create ns bsat
  2. then apply this:
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: server
  name: server
  namespace: bsat
spec:
  replicas: 1
  selector:
    matchLabels:
      app: server
  template:
    metadata:
      labels:
        app: server
        type: keda-testing
    spec:
      containers:
      - name: k8s-protected-metrics-api
        image: repo.io/bsat:tag
        imagePullPolicy: Always
        securityContext:
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          capabilities:
            drop:
              - ALL
          seccompProfile:
            type: RuntimeDefault
---
apiVersion: v1
kind: Service
metadata:
  name: server
  namespace: bsat
spec:
  ports:
  - name: http
    port: 8080
    targetPort: 8080
  selector:
    app: server
  1. Port-forward the service: kubectl port-forward -n bsat deployments/server 8080:8080
  2. Try curling the value at the /api/value endpoint
$ curl localhost:8080/api/value
Unauthorized
  1. We need a k8s service account token that is able to access the endpoint. So first let's create a service account, and a cluster role, and cluster role binding that is able to get /api/value resource.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: bsat-sa
rules:
- nonResourceURLs:
  - /api/value
  verbs:
  - get
  1. Create a service account toke nusing that a created service account bounded to that cluster role.
    kubectl create token -n bsat-sa
  2. curl again with the token
$ curl localhost:8080/api/value -H "Authorization: Bearer $TOKEN"`

We should be authenticated and authorized to get the value now. Note that the cluster role rbac enforced is completely arbitrary. The example is only to illustrate that the server itself delegates auth decisions to the k8s auth api server and thus requires a valid permissive token to access this endpoint.

In the e2e test, we would be using the boundServiceAccountToken trig auth source to authenticate instead.

Checklist

  • Commits are signed with Developer Certificate of Origin (DCO)
  • [-] A PR is opened to update the documentation on our docs repo

Fixes #

@maxcao13 maxcao13 mentioned this pull request Dec 11, 2024
Open
7 tasks
@JorTurFer JorTurFer merged commit 0062644 into kedacore:main Dec 15, 2024
3 of 5 checks passed
@maxcao13 maxcao13 deleted the bsat branch December 16, 2024 15:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JorTurFer JorTurFer JorTurFer approved these changes

@zroubalik zroubalik Awaiting requested review from zroubalik zroubalik is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@maxcao13 @JorTurFer