Enable AuthService Caching Mechanism

In Arrikto Enterprise Kubeflow, AuthService does not have the caching mechanism enabled by default. In this guide you will enable the AuthService caching mechanism. Enabling the AuthService caching mechanism makes authentication faster since it removes the overhead of communicating with the Kubernetes API server or the OIDC provider.

When a client is making a request with a Bearer token, AuthService searches its cache for this token. If this token exists in the cache, then AuthService skips sending access token authentication requests to the Kubernettes API server or the external Identity Provider, and uses the cached user information. Otherwise, it attempts to authenticate the client with one of the available authenticators. If one of the cacheable authenticators manages to successfully authenticate the client, then AuthService will store this token in its cache with the respective user information.

Note

Cacheable authenticators are currently the Kubernetes and the external Identity Provider authenticator using opaque tokens authenticators.

What You’ll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/caching.env and append the following values:

    CACHE_ENABLED=true CACHE_EXPIRATION_MINUTES=5

    Important

    Ensure that the above configuration variables appear only once inside the kubeflow/manifests/common/oidc-authservice/overlays/deploy/caching.env file.

    Warning

    Ensure that CACHE_EXPIRATION_MINUTES has a value of up to 5 minutes. CACHE_EXPIRATION_MINUTES indicates the time in minutes that it takes for a cache entry to expire. Thus, you will minimize the possibility of authenticating requests with expired tokens.

  3. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Enable the caching mechanism of AuthService."
  4. Apply the changes:

    root@rok-tools:~/ops/deployments# rok-deploy --apply kubeflow/manifests/common/oidc-authservice/overlays/deploy
  5. Restart the authservice Pod manually:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice

Verify

  1. Ensure that the authservice StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:

    root@rok-tools:~# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13s
  2. Ensure that the new authservice Pod includes the configurations you have applied:

    root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.CACHE_ENABLED' true
    root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.CACHE_EXPIRATION_MINUTES' 5

Summary

You have successfully enabled the AuthService caching mechanism.

What’s Next

Check out the rest of the authentication management documentation.