Anonymitaet commented on code in PR #570: URL: https://github.com/apache/pulsar-site/pull/570#discussion_r1189242545
########## docs/functions-runtime-kubernetes.md: ########## @@ -65,6 +65,58 @@ If the token you use to deploy the function has an expiration date, you may need ::: +### Enable Kubernetes Service Account Token Projection for Function Pod Authentication + +The `KubernetesServiceAccountTokenAuthProvider` uses [Service Account Token Volume Projections](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) to mount a token into the function's pod. The function worker and broker can verify this token using OpenID Connect. The primary benefit of this integration is that tokens have a short time to live, are managed by Kubernetes, and do not inherit the permission used to create the function. + +:::note +This feature requires that the broker and the function worker are configured to use the `AuthenticationProviderOpenID`. Documentation to enable this provider can be found [here](security-openid-connect.md). Review Comment: ```suggestion This feature requires that the broker and the function worker are configured to use the `AuthenticationProviderOpenID`. Documentation to enable this provider can be found [here](security-openid-connect.md). ``` ########## docs/functions-runtime-kubernetes.md: ########## @@ -65,6 +65,58 @@ If the token you use to deploy the function has an expiration date, you may need ::: +### Enable Kubernetes Service Account Token Projection for Function Pod Authentication Review Comment: ```suggestion ### Enable Kubernetes service account token projection for function pod authentication ``` ########## docs/functions-runtime-kubernetes.md: ########## @@ -65,6 +65,58 @@ If the token you use to deploy the function has an expiration date, you may need ::: +### Enable Kubernetes Service Account Token Projection for Function Pod Authentication + +The `KubernetesServiceAccountTokenAuthProvider` uses [Service Account Token Volume Projections](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) to mount a token into the function's pod. The function worker and broker can verify this token using OpenID Connect. The primary benefit of this integration is that tokens have a short time to live, are managed by Kubernetes, and do not inherit the permission used to create the function. + +:::note +This feature requires that the broker and the function worker are configured to use the `AuthenticationProviderOpenID`. Documentation to enable this provider can be found [here](security-openid-connect.md). Review Comment: ```suggestion This feature requires that the broker and the function worker are configured to use the `AuthenticationProviderOpenID`. Documentation to enable this provider can be found [here](security-openid-connect.md). ``` ########## docs/functions-runtime-kubernetes.md: ########## @@ -65,6 +65,58 @@ If the token you use to deploy the function has an expiration date, you may need ::: +### Enable Kubernetes Service Account Token Projection for Function Pod Authentication + +The `KubernetesServiceAccountTokenAuthProvider` uses [Service Account Token Volume Projections](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) to mount a token into the function's pod. The function worker and broker can verify this token using OpenID Connect. The primary benefit of this integration is that tokens have a short time to live, are managed by Kubernetes, and do not inherit the permission used to create the function. Review Comment: ```suggestion The `KubernetesServiceAccountTokenAuthProvider` uses [Service Account Token Volume Projections](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) to mount a token into the function's pod. The function worker and broker can verify this token using OpenID Connect. The primary benefit of this integration is that tokens have a short time to live, are managed by Kubernetes, and do not inherit the permission used to create the function. ``` ########## docs/functions-runtime-kubernetes.md: ########## @@ -65,6 +65,58 @@ If the token you use to deploy the function has an expiration date, you may need ::: +### Enable Kubernetes Service Account Token Projection for Function Pod Authentication + +The `KubernetesServiceAccountTokenAuthProvider` uses [Service Account Token Volume Projections](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) to mount a token into the function's pod. The function worker and broker can verify this token using OpenID Connect. The primary benefit of this integration is that tokens have a short time to live, are managed by Kubernetes, and do not inherit the permission used to create the function. + +:::note +This feature requires that the broker and the function worker are configured to use the `AuthenticationProviderOpenID`. Documentation to enable this provider can be found [here](security-openid-connect.md). +::: + +Here is an example configuration for the function worker to utilize this feature: + +```yaml +functionAuthProviderClassName: "org.apache.pulsar.functions.auth.KubernetesServiceAccountTokenAuthProvider" +kubernetesContainerFactory: + kubernetesFunctionAuthProviderConfig: + # Required + serviceAccountTokenExpirationSeconds: "600" + serviceAccountTokenAudience: "the-required-audience" + # Optional + brokerClientTrustCertsSecretName: "my-secret-pulsar-broker-client-trust-certs" +``` + +The function pod deploys with the default Kubernetes Service Account for the target namespace. Because the service account name maps to the `sub` claim on the JWT projected into the pod's filesystem, all pods with the same service account will have the same permission within Pulsar. There is ongoing work to improve this integration. Review Comment: ```suggestion The function pod deploys with the default Kubernetes Service Account for the target namespace. Because the service account name maps to the `sub` claim on the JWT projected into the pod's filesystem, all pods with the same service account will have the same permission within Pulsar. There is ongoing work to improve this integration. ``` Is Kubernetes Service Account a proper noun? ########## docs/functions-runtime-kubernetes.md: ########## @@ -65,6 +65,58 @@ If the token you use to deploy the function has an expiration date, you may need ::: +### Enable Kubernetes Service Account Token Projection for Function Pod Authentication + +The `KubernetesServiceAccountTokenAuthProvider` uses [Service Account Token Volume Projections](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) to mount a token into the function's pod. The function worker and broker can verify this token using OpenID Connect. The primary benefit of this integration is that tokens have a short time to live, are managed by Kubernetes, and do not inherit the permission used to create the function. + +:::note +This feature requires that the broker and the function worker are configured to use the `AuthenticationProviderOpenID`. Documentation to enable this provider can be found [here](security-openid-connect.md). +::: + +Here is an example configuration for the function worker to utilize this feature: + +```yaml +functionAuthProviderClassName: "org.apache.pulsar.functions.auth.KubernetesServiceAccountTokenAuthProvider" +kubernetesContainerFactory: + kubernetesFunctionAuthProviderConfig: + # Required + serviceAccountTokenExpirationSeconds: "600" + serviceAccountTokenAudience: "the-required-audience" + # Optional + brokerClientTrustCertsSecretName: "my-secret-pulsar-broker-client-trust-certs" +``` + +The function pod deploys with the default Kubernetes Service Account for the target namespace. Because the service account name maps to the `sub` claim on the JWT projected into the pod's filesystem, all pods with the same service account will have the same permission within Pulsar. There is ongoing work to improve this integration. + +Here is a sample JWT generated by this feature running in EKS (with some information redacted): + +```json +{ + "aud": [ + "your-audience" + ], + "exp": 1710969822, + "iat": 1679433822, + "iss": "https://oidc.eks.us-east-2.amazonaws.com/id/some-id";, + "kubernetes.io": { + "namespace": "pulsar-function", + "pod": { + "name": "function-pod-0", + "uid": "fbac8f9e-a47d-4ad7-a8f0-cc9a65d1331c" + }, + "serviceaccount": { + "name": "default", + "uid": "5964f9d3-3dce-467c-8dbe-d0f463063d7a" + }, + "warnafter": 1679437429 + }, + "nbf": 1679433822, + "sub": "system:serviceaccount:pulsar-function:default" +} +``` + +In order to grant permission to this function pod, you will grant permissions to the role claim, which is the `sub` claim by default, `system:serviceaccount:pulsar-function:default`. Review Comment: ```suggestion To grant permission to this function pod, you need to grant permissions to the role claim, which is the `sub` claim by default, `system:serviceaccount:pulsar-function:default`. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
