Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting service account on build pods #1506

Open
yuvipanda opened this issue Jun 24, 2022 · 2 comments
Open

Allow setting service account on build pods #1506

yuvipanda opened this issue Jun 24, 2022 · 2 comments
Labels
enhancement

Comments

@yuvipanda
Copy link
Collaborator

Proposed change

Currently, we pass in the username / password for the docker registry so we can push images to it. There are solutions like workload-identity and IRSA that allow using kubernetes service accounts to be used instead to authenticate to cloud services.

Currently, there's no way to configure which kubernetes service account the build pods should use. We'll need to expose that as an option to make use of it.

Alternative options

  • Add an extra_pod_config and extra_container_config option instead that are more generic ways to customize the build pod.

Who would use this feature?

  • Anyone running binderhubs on cloud providers

(Optional): Suggest a solution

  • Add traitlet that allows configuring this
  • Pass it on to the Builder object, so it can use it to construct the pod
  • Add some unit tests
@yuvipanda yuvipanda mentioned this issue Jun 24, 2022
Open
7 tasks
@thomas-bc
Copy link

An alternative solution to support AWS ECR as the docker registry was proposed (and just updated) in #1055. I will look into your proposed change and see if I can (and have time to) come up with something.

@manics manics mentioned this issue Aug 19, 2022
Open
@manics
Copy link
Member

manics commented Aug 19, 2022
edited
Loading

I've commented on #1055 (comment)
but before you start work be aware I've made some big changes in #1518 and there's a follow-up PR in #1521 to switch the defaults.

If you want to add a service account I think you can just add a new traitlets config to

binderhub/binderhub/build.py

Lines 189 to 209 in c4af713

class KubernetesBuildExecutor(BuildExecutor):
"""Represents a build of a git repository into a docker image.
This ultimately maps to a single pod on a kubernetes cluster. Many
different build objects can point to this single pod and perform
operations on the pod. The code in this class needs to be careful and take
this into account.
For example, operations a Build object tries might not succeed because
another Build object pointing to the same pod might have done something
else. This should be handled gracefully, and the build object should
reflect the state of the pod as quickly as possible.
``name``
The ``name`` should be unique and immutable since it is used to
sync to the pod. The ``name`` should be unique for a
``(repo_url, ref)`` tuple, and the same tuple should correspond
to the same ``name``. This allows use of the locking provided by k8s
API instead of having to invent our own locking code.
"""

and pass that into the pod creation method if it's set. Ignore the old Build class and most of the BinderHub.* settings- with the new Traitlets based class there's no need to pass parameters down through the whole BinderHub stack since Traitlets automatically passes them to the class.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yuvipanda @manics @thomas-bc