Configure AuthService Audiences¶
Depending on your EKF deployment, you may need to authenticate certain clients with specific audiences. In this case, you will need to configure AuthService to accept the tokens of these clients with the respective audiences. Audiences are strings that are associated with tokens, and specify the target resource server for a token.
This guide will walk you through configuring the audiences that AuthService accepts for authentication.
There are currently two AuthService authenticators that check token audiences:
- The Kubernetes authenticator, which by default expects the
- The JWT access token authenticator, which does not have a default audience and the admin needs to configure it, based on the audience claim of the JWT access token issued by the external Identity Provider. You can find out more on how the JWT access token authentication method works in Authentication with External Identity Providers Using JWT.
Go to your GitOps repository, inside your
rok-toolsmanagement environment:root@rok-tools:~# cd ~/ops/deployments
kubeflow/manifests/common/oidc-authservice/overlays/deploy/audiences.envfile and append the audiences of the clients as comma-separated values:AUDIENCES=istio-ingressgateway.istio-system.svc.cluster.local,<CUSTOM_AUDIENCE>
<CUSTOM_AUDIENCE>with the audience of the clients you want AuthService to authenticate, for example:AUDIENCES=istio-ingressgateway.istio-system.svc.cluster.local,myAudience
Do not remove the
AUDIENCES, if you want to use the Kubernetes authentication method.
Commit your changes:root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Extend the list of the accepted AUDIENCES."
Apply the changes:root@rok-tools:~/ops/deployments# rok-deploy --apply \ > kubeflow/manifests/common/oidc-authservice/overlays/deploy
authservicePod manually:root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice
Ensure that the
authserviceStatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:root@rok-tools:~# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13s
Ensure that the new
authservicePod includes the configurations you have applied, that is, the output of the following command includes the audiences you specified in step 2:root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.AUDIENCES' istio-ingressgateway.istio-system.svc.cluster.local,myAudience