Configure AuthService to Use Specific Authentication Methods¶
This guide will give you the necessary context to configure AuthService to use the authentication methods of your preference and needs.
AuthService attempts to authenticate an incoming request with one of the available authenticators in the following order:
- Kubernetes authenticator: authenticates the client with their Kubernetes Service Accounts. This authenticator communicates with Kubernetes API server to validate the client request and retrieves the respective information.
- JWT access token authenticator: authenticates locally the client based on the JWT access token that the external Identity Provider granted for the client. If the signature of the JWT access token exists in the JSON Web Key Set (JWKs) list, this authenticator validates the client request without communicating with the external Identity Provider.
- Session authenticator: authenticates the client based on their cookie. If the session for this client exists, this authenticator validates the client request locally.
- ID token authenticator: authenticates locally the client based on the ID token that the external Identity Provider granted for the client. If the signature of the ID token exists in the JSON Web Key Set (JWKs) list, this authenticator validates the client request without communicating with the external Identity Provider.
Note
AuthService comes with all the above authentication methods enabled by default.
Important
You cannot disable the session authenticator. This authenticator is essential so that you can log in to Kubeflow.
On the following sections you can learn more on how to enable or disable each authentication method. Configuring AuthService to use only the necessary authentication methods can significantly reduce the authentication overhead.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster.
- A working Rok deployment.
- A working Kubeflow deployment.
- Access to the cluster running services.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsSet the appropriate environment variable in the configuration file. Choose one of the following options based on the authentication method you want to configure.
Choose one of the following options based on whether you want to disable or enable the Kubernetes authentication method.
Edit the
kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env
and write the following line:KUBERNETES_AUTHN_ENABLED=falseImportant
Ensure that
KUBERNETES_AUTHN_ENABLED
appears only once in this file.Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Disable the Kubernetes authenticator"
Edit the
kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env
and write the following line:KUBERNETES_AUTHN_ENABLED=trueImportant
Ensure that
KUBERNETES_AUTHN_ENABLED
appears only once in this file.Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Enable the Kubernetes authenticator"
Choose one of the following options based on whether you want to disable or enable the JWT authentication method.
Edit the
kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env
and write the following line:JWT_AUTHN_ENABLED=falseImportant
Ensure that
JWT_AUTHN_ENABLED
appears only once in this file.Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Disable the JWT access token authenticator"
Edit the
kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env
and write the following line:JWT_AUTHN_ENABLED=trueImportant
Ensure that
JWT_AUTHN_ENABLED
appears only once in this file.Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Enable the JWT access token authenticator"
Choose one of the following options based on whether you want to disable or enable the ID token authentication method.
Edit the
kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env
and write the following line:IDTOKEN_AUTHN_ENABLED=falseImportant
Ensure that
IDTOKEN_AUTHN_ENABLED
appears only once in this file.Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Disable the ID token authenticator"
Edit the
kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env
and write the following line:IDTOKEN_AUTHN_ENABLED=trueImportant
Ensure that
IDTOKEN_AUTHN_ENABLED
appears only once in this file.Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Enable the ID token authenticator"
Apply the changes:
root@rok-tools:~/ops/deployments# rok-deploy --apply \ > kubeflow/manifests/common/oidc-authservice/overlays/deployRestart the
authservice
Pod manually:root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice
Verify¶
Ensure that the
authservice
StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:root@rok-tools:~# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13sEnsure that the new
authservice
Pod includes the configurations you have applied:root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.KUBERNETES_AUTHN_ENABLED' falseroot@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.KUBERNETES_AUTHN_ENABLED' trueroot@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.JWT_AUTHN_ENABLED' falseroot@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.JWT_AUTHN_ENABLED' trueroot@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.IDTOKEN_AUTHN_ENABLED' falseroot@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.IDTOKEN_AUTHN_ENABLED' true
Summary¶
You have successfully configured the AuthService authentication methods of your preference.
What’s Next¶
Check out the rest of the authentication management documentation.