Bound service account token Latest

Suggest a change

You can pull one or more service account tokens into the trigger by defining the serviceAccountName of the Kubernetes service account.

boundServiceAccountToken:                   # Optional.
  - parameter: connectionString             # Required - Defined by the scale trigger
    serviceAccountName: my-service-account  # Required.

Assumptions: namespace is in the same resource as referenced by scaleTargetRef.name in the ScaledObject, unless specified otherwise.

Permissions for KEDA to request service account tokens

By default, the KEDA operator does not have the necessary permissions to request service account tokens from an arbitrary service account. This is to prevent a privilege escalation where a bad actor could use KEDA to request tokens on behalf of any service account in the cluster.

To allow KEDA to request tokens from a service account, you must grant the keda-operator service account the necessary permissions using RBAC. This can be done by creating a Role and a RoleBinding in the service account’s namespace to allow the keda-operator service account the create permission on the namespaced serviceaccounts/token subresource.

Here’s a minimal example of a Role and RoleBinding that grants the necessary permissions for the KEDA operator to request and use tokens from the namespaced my-service-account service account.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: keda-operator-token-creator
  namespace: my-namespace # Replace with the namespace of the service account
rules:
- apiGroups:
  - ""
  resources:
  - serviceaccounts/token
  verbs:
  - create
  resourceNames:
  - my-service-account # Replace with the name of the service account
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: keda-operator-token-creator-binding
  namespace: my-namespace # Replace with the namespace of the service account
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: keda-operator-token-creator
subjects:
- kind: ServiceAccount
  name: keda-operator
  namespace: keda # Assuming the keda-operator service account is in the keda namespace

After applying similar restrictive permissions in your cluster, you can create the TriggerAuthentication resource that references the service account name, allowing KEDA to request and use tokens on your behalf with your scaler. Note that the service account must also have the necessary Kubernetes API permissions to perform the actions required by the scaler, such as querying metrics or managing resources, if the scaler delegates authentication to the Kubernetes API.

Usage in keda-charts

If you use Helm Charts to deploy KEDA, you can supply namespaced names of the service accounts that KEDA request tokens from by setting the boundServiceAccountToken field in the values.yaml file. For example:

# values.yaml
permissions:
  operator:
    restrict:
      serviceAccountTokenCreationRoles:
      - name: myServiceAccount
        namespace: myServiceAccountNamespace

This will create the necessary Role and RoleBinding in the myServiceAccountNamespace namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: keda-operator-token-creator-myServiceAccount
  namespace: myServiceAccountNamespace
rules:
- apiGroups:
  - ""
  resources:
  - serviceaccounts/token
  verbs:
  - create
  resourceNames:
  - myServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: keda-operator-token-creator-binding-myServiceAccount
  namespace: myServiceAccountNamespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: keda-operator-token-creator-myServiceAccount
subjects:
- kind: ServiceAccount
  name: keda-operator
  namespace: keda