Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support BoundServiceAccountToken triggerAuth provider #701

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: support BoundServiceAccountToken triggerAuth provider #701

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d06840b
Update CRDs for BoundServiceAccountToken triggerAuth source
maxcao13 Nov 6, 2024
3fe5b3c
Allow keda to request SA tokens
maxcao13 Feb 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions keda/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ their default values.
| `operator.replicaCount` | int | `1` | Capability to configure the number of replicas for KEDA operator. While you can run more replicas of our operator, only one operator instance will be the leader and serving traffic. You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover. Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability). |
| `operator.revisionHistoryLimit` | int | `10` | ReplicaSets for this Deployment you want to retain (Default: 10) |
| `permissions.operator.restrict.namesAllowList` | list | `[]` | Array of strings denoting what secrets the KEDA operator will be able to read, this takes into account also the configured `watchNamespace`. the default is an empty array -> no restriction on the secret name |
| `permissions.operator.restrict.saTokens` | bool | `true` | Restrict Service Account Token Creation Access for KEDA operator |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I liked the previous approach, creating a RBAC permission service account by service account within a range. Just using a flag is quite open taking into account that these permissions allow to act in behalf of other service accounts, escalating privileges in the cluster. Using the range is aligned with the approach that we took for custom resources, where you can specify them one by one if you want (being more restrictive in this case and requiring to grant one by one)
Personally I prefer the range approach, but maybe @zroubalik or @wozniakjan have other opinion here

| `permissions.operator.restrict.secret` | bool | `false` | Restrict Secret Access for KEDA operator if true, KEDA operator will be able to read only secrets in {{ .Release.Namespace }} namespace |
| `podAnnotations.keda` | object | `{}` | Pod annotations for KEDA operator |
| `podDisruptionBudget.operator` | object | `{}` | Capability to configure [Pod Disruption Budget] |
Expand Down
12 changes: 12 additions & 0 deletions keda/templates/crds/crd-clustertriggerauthentications.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,18 @@ spec:
- secrets
- vaultUri
type: object
boundServiceAccountToken:
items:
properties:
parameter:
type: string
serviceAccountName:
type: string
required:
- parameter
- serviceAccountName
type: object
type: array
configMapTargetRef:
items:
description: AuthConfigMapTargetRef is used to authenticate using
Expand Down
15 changes: 15 additions & 0 deletions keda/templates/crds/crd-triggerauthentications.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,21 @@ spec:
- secrets
- vaultUri
type: object
boundServiceAccountToken:
items:
properties:
expiry:
type: string
parameter:
type: string
serviceAccountName:
type: string
required:
- expiry
- parameter
- serviceAccountName
type: object
type: array
configMapTargetRef:
items:
description: AuthConfigMapTargetRef is used to authenticate using
Expand Down
8 changes: 8 additions & 0 deletions keda/templates/manager/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,14 @@ rules:
- get
- list
- watch
{{- if eq .Values.permissions.operator.restrict.saTokens false }}
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
{{- end }}
- apiGroups:
- ""
resources:
Expand Down
2 changes: 2 additions & 0 deletions keda/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -842,6 +842,8 @@ permissions:
# -- Restrict Secret Access for KEDA operator
# if true, KEDA operator will be able to read only secrets in {{ .Release.Namespace }} namespace
secret: false
# -- Restrict Service Token Access for KEDA operator
saTokens: true
# -- Array of strings denoting what secrets the KEDA operator will be able to read, this takes into account
# also the configured `watchNamespace`.
# the default is an empty array -> no restriction on the secret name
Expand Down
Loading