pai enable pai services to access rest-server without token set by admin manually

enable pai services to access rest-server without token set by admin manually

Open hzy46 opened this issue 4 years ago • 0 comments

Some PAI services, like the alert handler, and the incoming DB GCer, need to access rest-server. Thus, it always needs cluster admin to set a token manually for the service. However, this operation is kind of troublesome, and the token might be expired in the future, which is hard to monitor and will cause more work for the admin.

We can leverage k8s RBAC to better handle the rest-server token like:

When services start (cluster is deployed), set up a token in a secret.
Use RBAC to let certain OpenPAI service access the token.
Provide a command in paictl to refresh the token in case it is leaked.

Potential Application of this feature:

WebPortal abnormal jobs: refactor with tag filter
DB GCer

Sep 23 '20 09:09 hzy46

pai pai copied to clipboard

enable pai services to access rest-server without token set by admin manually

pai
pai copied to clipboard