-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: Enhance podIdentity Role Assumption in AWS by Direct Integration with OIDC/Federation and Implement Credentials Cache #5177
Conversation
Thank you for your contribution! 🙏 We will review your PR as soon as possible. While you are waiting, make sure to:
Learn more about: |
Signed-off-by: Sami S <25616506+ThaSami@users.noreply.github.com>
a3ab249
to
49ea026
Compare
Signed-off-by: Sami S <25616506+ThaSami@users.noreply.github.com>
I think in general this makes sense - perhaps it would be good to showcase how other operators (e.g This also ties in with the work @JorTurFer is doing in #5061 and kedacore/keda-docs#1251 so would be good to get his eyes on this as well. Otherwise it would be good to add some E2E tests for this, but I'm not familiar with how this is done in KEDA so that would also need @JorTurFer's input 😄 |
Thank you, @blakepettersson, for highlighting the external-secrets approach.
The third option catches my interest. @JorTurFer, it might be worth considering this into the new AWS provider. While I still believe the work being done in this PR holds some value, we could shift our approach a little bit. Instead of retrieving KEDA's service account token via os.GetEnv(WEB_IDENTITY_TOKEN), we might use External-secret's approach method to dynamically generate the other workload's service account token. |
Honestly, I don't think that this is worth because KEDA could create a token for any identity within the cluster, and that's a huge risk IMHO. I didn't know that external-secrets does this, but now it's a no-go for me. Adding the capability of requesting service account tokens without any limitation is potentially risky because KEDA could request a token for a service account bound with a role that it's not allowed for KEDA, but as KEDA can just request a valid k8s token for that workload, KEDA could by-pass the assumption policy and escalate its privileges. This approach also would require a huge privilege increase in KEDA side, because KEDA needs this permission by RBAC. I strongly disagree with this, but maybe I'm missing something important. @zroubalik WDYT? About the approach, I have thoughts in conflict with doing the fallback from |
I am with @JorTurFer on this, though to be fair, I don't consider myself an expert on the area. |
Just for update this PR, @ThaSami and I have been talking about directly via slack and we will move this to the new aws auth (the one I have as wip), adding to it some extra features, so the new auth will include also:
These to features are in addition to already pending changes in that auth |
Excellent, I really like the cache! |
Thanks, @JorTurFer @zroubalik for the insights Following our conversation on Slack with Jorge, I've implemented a cache for AWS Role credentials. This cache monitors each AWS role's usage and performs cleanup only when a scaler is removed. I would appreciate your input. |
Thanks for your contribution! As we have talked about offline, I close this PR in favor of #5061 which adds this functionality to the new auth. |
In the existing setup, when AWS roles are overridden through pod identity mechanism or by specifying the awsRoleArn trigger authentication environment variable, KEDA attempts to assume the specified role using its Operator's IAM role. This process necessitates granting the KEDA operator's role the necessary permissions to assume the target role. Additionally, the trust relationship on the target role must be configured to permit this assumption. While this approach aligns well with setups using kube2iam, it introduces a redundant step in environments that utilize IRSA.
The proposed Pull Request (PR) enables KEDA to directly assume AWS roles by using OpenID Connect (OIDC) and federation mechanisms. This direct method bypasses the need to configure additional permissions on the KEDA operator's role. By doing so, it simplifies the role assumption process in IRSA environments, reducing the configuration overhead typically associated with setting up cross-account role permissions and trust policies.
The modification maintains backward compatibility; if role assumption is unsuccessful, it will revert to attempting role assumption via the operator's role
Additionally, this update introduces a credentials cache for AWS roles. When multiple ScaledObjects utilize the same AWS role, this cache significantly cuts down on the number of AWS API calls.
Checklist
Fixes #5178
Fixes #5297