crontab entry for k8s token #3056
Comments
|
@johrstrom This approach is not more secure if the thing requesting the token is also the thing approving the token. What would be required here is a little more complex. The thing consuming the token would be the OnDemand host and there would need to be something like the Kubernetes control plane host that generates the new token and makes it accessible to the OnDemand host in a secure way. At OSC that can take limited forms due to how things are segregated. We'd have to generate the token with a cron job on control plane and write out to global NFS share that most things at OSC have access to and then consume the new token off NFS on the OnDemand host. I'm not entirely thrilled about this as it puts a lot of additional dependency on NFS always functioning. |
|
I think what's needed here is documentation updates, not code changes that nudge people towards a single solution. I think we need to document how the tokens are handled currently and some possible alternatives like what you have in #3190 but I don't think the changes in #3190 should be something we have deployed for folks by default as we should not be in the business of telling people how to administer their Kubernetes cluster, at least we should avoid it as much as possible. |
|
This was turned into documentation issue and fixed in OSC/ood-documentation#919 |
Sounds like we're landing on a crontab entry that can create/update the root user's token. It seems like such a thing would require reading & interpreting the
cluster.d/kubernetes.ymlto find where to request the token from.Originally posted by @johrstrom in #3020 (comment)
The text was updated successfully, but these errors were encountered: