You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are ways to reduce number of resources provisioned by agent for authentication in a Rancher cluster, by employing different authentication methods.
Investigate possible approaches.
Initial set:
Agent can issue a CSR request, which will be approved by Rancher to approve agent authentication, with a short spec.expirationSeconds value to allow revoking access.
Agent can connect via a single set of SA, RoleBinding and Role, using certificate and a token.
The text was updated successfully, but these errors were encountered:
Upon investigation of the system-agent functionality, the initial approach required larger set of changes.
Number of required resources to allow access and execution of the system-agent plans in Rancher can be decreased to 2 per cluster machine.
1 ServiceAccount per cluster
1 Role per cluster (namespaced)
1 RoleBinding per cluster
2 Secrets per each cluster machine
1 bootstrap Secret - connection info + kubeconfig
1 system-agent Plan secret for the machine
Depending on the authentication model, this can be decreased further to 1 secret per machine. With usage of a TokenRequest, JWT expiration can be bound to the Plan secret lifecycle, allowing to remove bootstrap secret after node bootstrap completion.
Original: 25 resources for cluster with 5 machines
Current: 10 resources for cluster with 5 machines
TokenRequest based: 5 resources (plan secrets) for cluster with 5 machines.
Further improvements are possible only with changes to system-agent.
There are ways to reduce number of resources provisioned by agent for authentication in a Rancher cluster, by employing different authentication methods.
Investigate possible approaches.
Initial set:
spec.expirationSeconds
value to allow revoking access.The text was updated successfully, but these errors were encountered: