Enable AuthService Caching Mechanism¶
In Arrikto Enterprise Kubeflow, AuthService does not have the caching mechanism enabled by default. In this guide you will enable the AuthService caching mechanism. Enabling the AuthService caching mechanism makes authentication faster since it removes the overhead of communicating with the Kubernetes API server or the OIDC provider.
When a client is making a request with a Bearer token, AuthService searches its cache for this token. If this token exists in the cache, then AuthService skips sending access token authentication requests to the Kubernettes API server or the external Identity Provider, and uses the cached user information. Otherwise, it attempts to authenticate the client with one of the available authenticators. If one of the cacheable authenticators manages to successfully authenticate the client, then AuthService will store this token in its cache with the respective user information.
Note
Cacheable authenticators are currently the Kubernetes and the external Identity Provider authenticator using opaque tokens authenticators.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster.
- A working Rok deployment.
- A working Kubeflow deployment.
- Access to the cluster running services.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsEdit the
kubeflow/manifests/common/oidc-authservice/overlays/deploy/caching.env
and append the following values:CACHE_ENABLED=true CACHE_EXPIRATION_MINUTES=5Important
Ensure that the above configuration variables appear only once inside the
kubeflow/manifests/common/oidc-authservice/overlays/deploy/caching.env
file.Warning
Ensure that
CACHE_EXPIRATION_MINUTES
has a value of up to 5 minutes.CACHE_EXPIRATION_MINUTES
indicates the time in minutes that it takes for a cache entry to expire. Thus, you will minimize the possibility of authenticating requests with expired tokens.Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Enable the caching mechanism of AuthService."Apply the changes:
root@rok-tools:~/ops/deployments# rok-deploy --apply kubeflow/manifests/common/oidc-authservice/overlays/deployRestart the
authservice
Pod manually:root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice
Verify¶
Ensure that the
authservice
StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:root@rok-tools:~# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13sEnsure that the new
authservice
Pod includes the configurations you have applied:root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.CACHE_ENABLED' trueroot@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.CACHE_EXPIRATION_MINUTES' 5
What’s Next¶
Check out the rest of the authentication management documentation.