From 9b0f4b2d0f935aa753c283b6c0ae3f07f67ec36b Mon Sep 17 00:00:00 2001 From: Max Cao Date: Fri, 29 Nov 2024 16:33:03 -0800 Subject: [PATCH 1/2] Add docs for bound service account token trigger authentication Signed-off-by: Max Cao --- .../bound-service-account-token.md | 14 ++++++++++++++ content/docs/2.17/concepts/authentication.md | 15 ++++++++++++++- 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 content/docs/2.17/authentication-providers/bound-service-account-token.md diff --git a/content/docs/2.17/authentication-providers/bound-service-account-token.md b/content/docs/2.17/authentication-providers/bound-service-account-token.md new file mode 100644 index 000000000..4623a17a3 --- /dev/null +++ b/content/docs/2.17/authentication-providers/bound-service-account-token.md @@ -0,0 +1,14 @@ ++++ +title = "Bound service account token" ++++ + +You can pull a service account token into the trigger by defining the `serviceAccountName` of the Kubernetes ServiceAccount and token `expiry` duration. + +```yaml +boundServiceAccountToken: # Optional. + - parameter: connectionString # Required - Defined by the scale trigger + serviceAccountName: my-keda-service-account # Required. + expiry: 1h # Required. +``` + +**Assumptions:** `namespace` is in the same resource as referenced by `scaleTargetRef.name` in the ScaledObject, unless specified otherwise. diff --git a/content/docs/2.17/concepts/authentication.md b/content/docs/2.17/concepts/authentication.md index d751e01ec..ca8b509cb 100644 --- a/content/docs/2.17/concepts/authentication.md +++ b/content/docs/2.17/concepts/authentication.md @@ -240,6 +240,19 @@ secretTargetRef: # Optional. **Assumptions:** `namespace` is in the same resource as referenced by `scaleTargetRef.name` in the ScaledObject, unless specified otherwise. +### Bound service account token + +You can pull a service account token into the trigger by defining the `serviceAccountName` of the Kubernetes ServiceAccount and token `expiry` duration. + +```yaml +boundServiceAccountToken: # Optional. + - parameter: connectionString # Required - Defined by the scale trigger + serviceAccountName: my-keda-service-account # Required. + expiry: 1h # Required. +``` + +**Assumptions:** `namespace` is in the same resource as referenced by `scaleTargetRef.name` in the ScaledObject, unless specified otherwise. + ### Hashicorp Vault secret(s) You can pull one or more Hashicorp Vault secrets into the trigger by defining the authentication metadata such as Vault `address` and the `authentication` method (token | kubernetes). If you choose kubernetes auth method you should provide `role` and `mount` as well. @@ -425,4 +438,4 @@ You can tell KEDA to use EKS Pod Identity Webhook via `podIdentity.provider`. ```yaml podIdentity: provider: aws-eks # Optional. Default: none -``` \ No newline at end of file +``` From e0133f0479578af903c601709ef21596f4cd3c81 Mon Sep 17 00:00:00 2001 From: Max Cao Date: Wed, 22 Jan 2025 18:41:01 -0800 Subject: [PATCH 2/2] Update bound service account token examples; add example rbacs for keda-operator to request tokens Signed-off-by: Max Cao --- .../bound-service-account-token.md | 50 +++++++++++++++++-- content/docs/2.17/concepts/authentication.md | 11 ++-- 2 files changed, 50 insertions(+), 11 deletions(-) diff --git a/content/docs/2.17/authentication-providers/bound-service-account-token.md b/content/docs/2.17/authentication-providers/bound-service-account-token.md index 4623a17a3..e70503629 100644 --- a/content/docs/2.17/authentication-providers/bound-service-account-token.md +++ b/content/docs/2.17/authentication-providers/bound-service-account-token.md @@ -2,13 +2,53 @@ title = "Bound service account token" +++ -You can pull a service account token into the trigger by defining the `serviceAccountName` of the Kubernetes ServiceAccount and token `expiry` duration. +You can pull one or more service account tokens into the trigger by defining the `serviceAccountName` of the Kubernetes service account. ```yaml -boundServiceAccountToken: # Optional. - - parameter: connectionString # Required - Defined by the scale trigger - serviceAccountName: my-keda-service-account # Required. - expiry: 1h # Required. +boundServiceAccountToken: # Optional. + - parameter: connectionString # Required - Defined by the scale trigger + serviceAccountName: my-service-account # Required. ``` **Assumptions:** `namespace` is in the same resource as referenced by `scaleTargetRef.name` in the ScaledObject, unless specified otherwise. + +## Permissions for KEDA to request service account tokens + +By default, the KEDA operator does not have the necessary permissions to request service account tokens from an arbitrary service account. This is to prevent a privilege escalation where a bad actor could use KEDA to request tokens on behalf of any service account in the cluster. + +To allow KEDA to request tokens from a service account, you must grant the `keda-operator` service account the necessary permissions using RBAC. This can be done by creating a `Role` and a `RoleBinding` in the service account's namespace to allow the `keda-operator` service account the `create` permission on the namespaced `serviceaccounts/token` subresource. + +Here's a minimal example of a `Role` and `RoleBinding` that grants the necessary permissions for the KEDA operator to request and use tokens from the namespaced `my-service-account` service account. + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: keda-operator-token-creator + namespace: my-namespace # Replace with the namespace of the service account +rules: +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + resourceNames: + - my-service-account # Replace with the name of the service account +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: keda-operator-token-creator-binding + namespace: my-namespace # Replace with the namespace of the service account +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: keda-operator-token-creator +subjects: +- kind: ServiceAccount + name: keda-operator + namespace: keda # Assuming the keda-operator service account is in the keda namespace +``` + +After applying similar restrictive permissions in your cluster, you can create the `TriggerAuthentication` resource that references the service account name, allowing KEDA to request and use tokens on your behalf with your scaler. Note that the service account must also have the necessary Kubernetes API permissions to perform the actions required by the scaler, such as querying metrics or managing resources, if the scaler delegates authentication to the Kubernetes API. diff --git a/content/docs/2.17/concepts/authentication.md b/content/docs/2.17/concepts/authentication.md index ca8b509cb..a2b832734 100644 --- a/content/docs/2.17/concepts/authentication.md +++ b/content/docs/2.17/concepts/authentication.md @@ -240,15 +240,14 @@ secretTargetRef: # Optional. **Assumptions:** `namespace` is in the same resource as referenced by `scaleTargetRef.name` in the ScaledObject, unless specified otherwise. -### Bound service account token +### Bound service account token(s) -You can pull a service account token into the trigger by defining the `serviceAccountName` of the Kubernetes ServiceAccount and token `expiry` duration. +You can pull one or more service account tokens into the trigger by defining the `serviceAccountName` of the Kubernetes service account. ```yaml -boundServiceAccountToken: # Optional. - - parameter: connectionString # Required - Defined by the scale trigger - serviceAccountName: my-keda-service-account # Required. - expiry: 1h # Required. +boundServiceAccountToken: # Optional. + - parameter: connectionString # Required - Defined by the scale trigger + serviceAccountName: my-service-account # Required. ``` **Assumptions:** `namespace` is in the same resource as referenced by `scaleTargetRef.name` in the ScaledObject, unless specified otherwise.