Configure AuthService Audiences¶
Depending on your EKF deployment, you may need to authenticate certain clients with specific audiences. In this case, you will need to configure AuthService to accept the tokens of these clients with the respective audiences. Audiences are strings that are associated with tokens, and specify the target resource server for a token.
This guide will walk you through configuring the audiences that AuthService accepts for authentication.
Important
There are currently two AuthService authenticators that check token audiences:
- The Kubernetes authenticator, which by default expects the
istio-ingressgateway.istio-system.svc.cluster.local
audience. - The JWT access token authenticator, which does not have a default audience and the admin needs to configure it, based on the audience claim of the JWT access token issued by the external Identity Provider. You can find out more on how the JWT access token authentication method works in Authentication with External Identity Providers Using JWT.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster.
- A working Rok deployment.
- A working Kubeflow deployment.
- Access to the cluster running services.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsEdit the
kubeflow/manifests/common/oidc-authservice/overlays/deploy/audiences.env
file and append the audiences of the clients as comma-separated values:AUDIENCES=istio-ingressgateway.istio-system.svc.cluster.local,<CUSTOM_AUDIENCE>Replace the
<CUSTOM_AUDIENCE>
with the audience of the clients you want AuthService to authenticate, for example:AUDIENCES=istio-ingressgateway.istio-system.svc.cluster.local,myAudienceImportant
Do not remove the
istio-ingressgateway.istio-system.svc.cluster.local
audience fromAUDIENCES
, if you want to use the Kubernetes authentication method.Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Extend the list of the accepted AUDIENCES."Apply the changes:
root@rok-tools:~/ops/deployments# rok-deploy --apply \ > kubeflow/manifests/common/oidc-authservice/overlays/deployRestart the
authservice
Pod manually:root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice
Verify¶
Ensure that the
authservice
StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:root@rok-tools:~# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13sEnsure that the new
authservice
Pod includes the configurations you have applied, that is, the output of the following command includes the audiences you specified in step 2:root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.AUDIENCES' istio-ingressgateway.istio-system.svc.cluster.local,myAudience
What’s Next¶
Check out the rest of the authentication management documentation.