Configure AuthService to Use Specific Authentication Methods

This guide will give you the necessary context to configure AuthService to use the authentication methods of your preference and needs.

AuthService attempts to authenticate an incoming request with one of the available authenticators in the following order:

  1. Kubernetes authenticator: authenticates the client with their Kubernetes Service Accounts. This authenticator communicates with Kubernetes API server to validate the client request and retrieves the respective information.
  2. Access token authenticator: AuthService can validate access tokens issued by an external Identity Provider with one of the following two authentication methods:
    1. Opaque access token authenticator: authenticates the client based on the opaque access token that the external Identity Provider granted for the client. This authenticator communicates with the integrated external Identity Provider to validate each client request and retrieves the respective information.
    2. JWT access token authenticator: authenticates locally the client based on the JWT access token that the external Identity Provider granted for the client. If the signature of the JWT access token exists in the JSON Web Key Set (JWKs) list, this authenticator validates the client request without communicating with the external Identity Provider.
  3. Session authenticator: authenticates the client based on their cookie. If the session for this client exists, this authenticator validates the client request locally.
  4. ID token authenticator: authenticates locally the client based on the ID token that the external Identity Provider granted for the client. If the signature of the ID token exists in the JSON Web Key Set (JWKs) list, this authenticator validates the client request without communicating with the external Identity Provider.

Note

AuthService comes with all the above authentication methods enabled by default. Note that for the access token authentication admins can only use one of the two available authentication methods. By default, JWT access token authenticator is enabled and opaque access token authenticator is disabled.

Important

You cannot disable the session authenticator. This authenticator is essential so that you can log in to Kubeflow.

On the following sections you can learn more on how to enable or disable each authentication method. Configuring AuthService to use only the necessary authentication methods can significantly reduce the authentication overhead.

What You’ll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Set the appropriate environment variable in the configuration file. Choose one of the following options based on the authentication method you want to configure.

    Choose one of the following options based on whether you want to disable or enable the Kubernetes authentication method.

    1. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env and write the following line:

      KUBERNETES_AUTHN_ENABLED=false

      Important

      Ensure that KUBERNETES_AUTHN_ENABLED appears only once in this file.

    2. Commit your changes:

      root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Disable the Kubernetes authenticator"
    1. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env and write the following line:

      KUBERNETES_AUTHN_ENABLED=true

      Important

      Ensure that KUBERNETES_AUTHN_ENABLED appears only once in this file.

    2. Commit your changes:

      root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Enable the Kubernetes authenticator"

    Choose one of the following options based on whether you want to disable both the JWT and opaque access token authenticators, or enable one of them.

    1. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env and write the following line:

      ACCESS_TOKEN_AUTHN_ENABLED=false

      Important

      Ensure that ACCESS_TOKEN_AUTHN_ENABLED appears only once in this file.

    2. Commit your changes:

      root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Disable the access token authenticator"
    1. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env and write the following lines:

      ACCESS_TOKEN_AUTHN_ENABLED=true ACCESS_TOKEN_AUTHN=jwt

      Important

      Ensure that both the ACCESS_TOKEN_AUTHN_ENABLED and ACCESS_TOKEN_AUTHN appear only once in this file.

    2. Commit your changes:

      root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Enable the JWT access token authenticator"
    1. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env and write the following lines:

      ACCESS_TOKEN_AUTHN_ENABLED=true ACCESS_TOKEN_AUTHN=opaque

      Important

      Ensure that both the ACCESS_TOKEN_AUTHN_ENABLED and ACCESS_TOKEN_AUTHN appear only once in this file.

    2. Commit your changes:

      root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Enable the opaque access token authenticator"

    Choose one of the following options based on whether you want to disable or enable the ID token authentication method.

    1. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env and write the following line:

      IDTOKEN_AUTHN_ENABLED=false

      Important

      Ensure that IDTOKEN_AUTHN_ENABLED appears only once in this file.

    2. Commit your changes:

      root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Disable the ID token authenticator"
    1. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env and write the following line:

      IDTOKEN_AUTHN_ENABLED=true

      Important

      Ensure that IDTOKEN_AUTHN_ENABLED appears only once in this file.

    2. Commit your changes:

      root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Enable the ID token authenticator"
  3. Apply the changes:

    root@rok-tools:~/ops/deployments# rok-deploy --apply \ > kubeflow/manifests/common/oidc-authservice/overlays/deploy
  4. Restart the authservice Pod manually:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice

Verify

  1. Ensure that the authservice StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:

    root@rok-tools:~# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13s
  2. Ensure that the new authservice Pod includes the configurations you have applied:

    Ensure you have disabled the Kubernetes authentication method, that is, the output of the following command is false:

    root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.KUBERNETES_AUTHN_ENABLED' false

    Ensure you have enabled the Kubernetes authentication method, that is, the output of the following command is true:

    root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.KUBERNETES_AUTHN_ENABLED' true

    Ensure that you have disabled the access token authentication method, that is, the output of the following command is false:

    root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.ACCESS_TOKEN_AUTHN_ENABLED' false
    1. Ensure you have enabled the access token authentication method, that is, the output of the following command is true:

      root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.ACCESS_TOKEN_AUTHN_ENABLED' true
    2. Ensure you have selected the JWT access token authentication method, that is, the output of the following command is jwt:

      root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.ACCESS_TOKEN_AUTHN' jwt
    1. Ensure that you have enabled the access token authenticatior, that is, the output of the following command is true:

      root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.ACCESS_TOKEN_AUTHN_ENABLED' true
    2. Ensure that you have selected the opaque access token authentication method, that is, the output of the following command is opaque:

      root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.ACCESS_TOKEN_AUTHN' opaque

    Ensure you have disabled the ID token authentication method, that is, the output of the following command is false:

    root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.IDTOKEN_AUTHN_ENABLED' false

    Ensure you have enabled the ID token authentication method, that is, the output of the following command is true:

    root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.IDTOKEN_AUTHN_ENABLED' true

Summary

You have successfully configured the AuthService authentication methods of your preference.

What’s Next

Check out the rest of the authentication management documentation.