K
Q

Best practice for managing the cluster from the outside

3/23/2020

I have a best-practice question:

I have a Django application running somewhere (non-k8s) where my end-user accounts are tracked. Separately, I have a k8s cluster that has a service for every user. When a new user signs up in Django, a new service should be created in the cluster.

What is the best practice for doing this? Two options I see are:

  1. Have a long-lived service in the cluster, something like user-pod-creator, which exposes an API to the Django side, allowing it to ask for a pod to be created.
  2. Give the Django permissions to use the cluster's API directly; have it create (and delete) pods as it wishes.

Intuitively I prefer the first because of the separation of concerns it creates and because of security reasons. But the second would give a lot of flexibility to the Django app so that it can not only create and delete pods, but it can have more visibility into the cluster if need be with direct API calls, instead of me having to expose new API endpoints in user-pod-creator or some other service.

-- authn_authz_person
kubernetes

Similar Questions

Why k8s pod can't find key in ConfigMap?
Failed to download JupyterHub via helm
Nginx Ingress, HTTPS, and internal HTTPs
Helm - comma-separated list of dynamic strings

1 Answer

3/23/2020

Option 2 is a valid approach and can be solved with a service account.

Create a ServiceAccount for your Django app:

kubectl create serviceaccount django

This ServiceAccount points to a Secret, and this Secret contains a token.

Find out the Secret associated with the ServiceAccount:

kubectl get serviceaccount django -o yaml

Get the token in the Secret:

kubectl get secret django-token-d2tz4 -o jsonpath='{.data.token}'

Now you can use this token as an HTTP bearer token in the Kubernetes API requests from your Django app outside the cluster.

That is, include the token in the HTTP Authorization header of the Kubernetes API requests like this:

Authorization: Bearer <TOKEN>

In this way, your request passes the authentication stage in the API server. However, the service account has no permissions yet (authorisation).

You can assign the required permissions to your service account with Roles and RoleBindings:

kubectl create role django --verb <...> --resource <...>
kubectl create rolebinding django --role django --serviceaccount django

Regarding security: grant only the minimum permissions needed to the service account (principle of least privileges), and if you think someone stole the service account token, you can just delete the service account with kubectl delete serviceaccount django to invalidate the token.

See also here for an example of the presented approach. Especially:

Service account bearer tokens are perfectly valid to use outside the cluster and can be used to create identities for long standing jobs that wish to talk to the Kubernetes API.

-- weibeld
Source: StackOverflow