michaeljmarshall commented on issue #19771: URL: https://github.com/apache/pulsar/issues/19771#issuecomment-1463368797
@EronWright - great suggestions, thank you for sharing! I was actually just looking into the k8s service accounts feature earlier today, and I completely agree that we should add support to make the function pods easily integrate with them. It seems like a great way to make it easier to leverage OIDC without needing to run your Authorization Server. One reason I chose not to reference the k8s service account feature in this proposal is because these docs (https://kubernetes.io/docs/concepts/security/service-accounts/#authenticating-in-code) indicate that it is recommended to use the TokenReview API (https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) instead of OIDC because the TokenReview API prevents the usage of tokens generated for pods that are terminated. That being said, relying on the TokenReview API seems like it would introduce latency and could couple the broker to the API Server in an unnecessary way. A short time to live could also limit how useful a token is after a pod terminates. Another option could be to use the TokenReview API and then to fall back to the OIDC Authentication Provider to allow for better availability in the event of network connectivity issues when connecting to the api server. What do you think? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
