Expose TokenRequest API for External Clients¶
Clients that are external to the Kubernetes cluster (e.g., a bot or a user’s laptop) can access the cluster using Kubernetes Service Accounts as their identity. They store a long-lived token in their environment and use it to create time and audience bound tokens, to securely access the APIs exposed through the Istio Gateway (e.g., Rok, Kubeflow, etc.).
See also
In this guide you will allow external clients to issue short-lived tokens by exposing the TokenRequest API of the Kubernetes API server. You will expose this API either under the EKF domain or the Serving domain or both.
Important
This guide will not configure TLS on NGINX. If TLS termination takes place outside the cluster, for example, with an ALB on EKS, everything will work. Otherwise you will end up getting a “Kubernetes Ingress Controller Fake Certificate” when using HTTPS to access the API.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster.
- A configured domain for EKF or Serving.
Procedure¶
Note
Repeat
If you want to expose the TokenRequest API both for EKF and Serving, run this procedure twice, by choosing the right set of tabs in each run.
Specify your subdomain. Choose one of the following options based on which domain you are exposing the TokenRequest API under.
Edit
rok/kubernetes-proxy/overlays/deploy/patches/ingress_host.json
and specify your subdomain in field value:[ { "op": "replace", "path": "/spec/rules/0/host", "value": "arrikto-cluster.apps.example.com" } ]Edit
rok/kubernetes-proxy-serving/overlays/deploy/patches/ingress_host.json
and specify your subdomain in field value:[ { "op": "replace", "path": "/spec/rules/0/host", "value": "arrikto-cluster-serving.serving.example.com" } ]Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Expose Kubernetes TokenRequest API under /kubernetes"Apply the kustomization. Choose one of the following options based on which domain you are exposing the TokenRequest API under.
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/kubernetes-proxy/overlays/deployroot@rok-tools:~/ops/deployments# rok-deploy --apply rok/kubernetes-proxy-serving/overlays/deploy
Important
This will only expose the TokenRequest API, not the whole Kubernetes API.
Verify¶
Specify your subdomain:
user@workstation:~$ export SUBDOMAIN=<SUBDOMAIN>Replace
<YOUR_SUBDOMAIN>
with your subdomain. For example:user@workstation:~$ export SUBDOMAIN=arrikto-cluster.apps.example.comVerify that you can access the TokenRequest API under:
user@workstation:~$ curl https://${SUBDOMAIN?}/kubernetes/api/v1/namespaces/default/serviceaccounts/default/token { "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "serviceaccounts \"default\" is forbidden: User \"system:anonymous\" cannot get resource \"serviceaccounts/token\" in API group \"\" in the namespace \"kdefault\"", "reason": "Forbidden", "details": { "name": "default", "kind": "serviceaccounts" }, "code": 403 }Troubleshooting
Could not resolve host
ExternalDNS will create records based on your input so there might be a slight delay for the DNS to propagate.
What’s Next¶
Check out the rest of the maintenance operations that you can perform on your cluster.