Configure AuthService to Use Specific Authentication Methods

This guide will give you the necessary context to configure AuthService to use the authentication methods of your preference and needs.

See also

AuthService attempts to authenticate an incoming request with one of the available authenticators in the following order:

  1. Kubernetes authenticator: authenticates the client with their Kubernetes Service Accounts. This authenticator communicates with Kubernetes API server to validate the client request and retrieves the respective information.
  2. JWT access token authenticator: authenticates locally the client based on the JWT access token that the external Identity Provider granted for the client. If the signature of the JWT access token exists in the JSON Web Key Set (JWKs) list, this authenticator validates the client request without communicating with the external Identity Provider.
  3. Session authenticator: authenticates the client based on their cookie. If the session for this client exists, this authenticator validates the client request locally.
  4. ID token authenticator: authenticates locally the client based on the ID token that the external Identity Provider granted for the client. If the signature of the ID token exists in the JSON Web Key Set (JWKs) list, this authenticator validates the client request without communicating with the external Identity Provider.

Note

AuthService comes with all the above authentication methods enabled by default.

Important

You cannot disable the session authenticator. This authenticator is essential so that you can log in to Kubeflow.

On the following sections you can learn more on how to enable or disable each authentication method. Configuring AuthService to use only the necessary authentication methods can significantly reduce the authentication overhead.

What You’ll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments

  2. Set the appropriate environment variable in the configuration file. Choose one of the following options based on the authentication method you want to configure.

    Kubernetes Authenticator

    JWT Authenticator

    ID token Authenticator

    Choose one of the following options based on whether you want to disable or enable the Kubernetes authentication method.

    Disable

    Enable

    1. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env and write the following line:

      KUBERNETES_AUTHN_ENABLED=false

      Important

      Ensure that KUBERNETES_AUTHN_ENABLED appears only once in this file.

    2. Commit your changes:

      root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Disable the Kubernetes authenticator"

    1. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env and write the following line:

      KUBERNETES_AUTHN_ENABLED=true

      Important

      Ensure that KUBERNETES_AUTHN_ENABLED appears only once in this file.

    2. Commit your changes:

      root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Enable the Kubernetes authenticator"

    Choose one of the following options based on whether you want to disable or enable the JWT authentication method.

    Disable

    Enable

    1. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env and write the following line:

      JWT_AUTHN_ENABLED=false

      Important

      Ensure that JWT_AUTHN_ENABLED appears only once in this file.

    2. Commit your changes:

      root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Disable the JWT access token authenticator"

    1. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env and write the following line:

      JWT_AUTHN_ENABLED=true

      Important

      Ensure that JWT_AUTHN_ENABLED appears only once in this file.

    2. Commit your changes:

      root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Enable the JWT access token authenticator"

    Choose one of the following options based on whether you want to disable or enable the ID token authentication method.

    Disable

    Enable

    1. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env and write the following line:

      IDTOKEN_AUTHN_ENABLED=false

      Important

      Ensure that IDTOKEN_AUTHN_ENABLED appears only once in this file.

    2. Commit your changes:

      root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Disable the ID token authenticator"

    1. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/authenticators.env and write the following line:

      IDTOKEN_AUTHN_ENABLED=true

      Important

      Ensure that IDTOKEN_AUTHN_ENABLED appears only once in this file.

    2. Commit your changes:

      root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Enable the ID token authenticator"

  3. Apply the changes:

    root@rok-tools:~/ops/deployments# rok-deploy --apply \ > kubeflow/manifests/common/oidc-authservice/overlays/deploy

  4. Restart the authservice Pod manually:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice

Verify

  1. Ensure that the authservice StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:

    root@rok-tools:~# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13s

  2. Ensure that the new authservice Pod includes the configurations you have applied:

    Kubernetes Authenticator

    JWT Authenticator

    ID token Authenticator

    Disable

    Enable

    root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.KUBERNETES_AUTHN_ENABLED' false
    root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.KUBERNETES_AUTHN_ENABLED' true

    Disable

    Enable

    root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.JWT_AUTHN_ENABLED' false
    root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.JWT_AUTHN_ENABLED' true

    Disable

    Enable

    root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.IDTOKEN_AUTHN_ENABLED' false
    root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.IDTOKEN_AUTHN_ENABLED' true

Summary

You have successfully configured the AuthService authentication methods of your preference.

What’s Next

Check out the rest of the authentication management documentation.

PreviousNext