[core] Use dedicated service account path for Ray auth tokens#60409
Conversation
|
@sampan-s-nayak PTAL |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the service account token path to use a dedicated path for Ray, which is a good security practice. The changes correctly replace the old token path constant with a new one across the codebase. My review includes a few suggestions to improve code clarity by renaming variables that now refer to this new Ray-specific token path. Overall, the changes are solid and achieve the intended goal.
| @@ -153,7 +153,7 @@ TokenLoadResult AuthenticationTokenLoader::TryLoadTokenFromSources() { | |||
|
|
|||
| // Precedence 3 (ENABLE_K8S_TOKEN_AUTH only): Load Kubernetes service account token | |||
| if (IsK8sTokenAuthEnabled()) { | |||
| const std::string k8s_token_path(k8s::kK8sSaTokenPath); | |||
| const std::string k8s_token_path(k8s::kRaySaTokenPath); | |||
There was a problem hiding this comment.
While this change is correct, the variable name k8s_token_path is now a bit misleading as it points to the Ray-specific service account token path (kRaySaTokenPath) instead of the generic Kubernetes one. For improved code clarity and maintainability, consider renaming this variable to something like ray_sa_token_path and updating its usages within this if block.
| std::string k8s_sa_token = ReadFile(kRaySaTokenPath); | ||
| if (k8s_sa_token.empty()) { |
There was a problem hiding this comment.
For better clarity, since we are now reading the Ray-specific service account token, consider renaming the variable k8s_sa_token to ray_sa_token to reflect this change.
| std::string k8s_sa_token = ReadFile(kRaySaTokenPath); | |
| if (k8s_sa_token.empty()) { | |
| std::string ray_sa_token = ReadFile(kRaySaTokenPath); | |
| if (ray_sa_token.empty()) { |
| @@ -91,7 +91,7 @@ void InitK8sClientConfig() { | |||
| bool K8sApiPost(const std::string &path, | |||
| const nlohmann::json &body, | |||
| nlohmann::json &response_json) { | |||
| static std::string k8s_sa_token = ReadFile(kK8sSaTokenPath); | |||
| static std::string k8s_sa_token = ReadFile(kRaySaTokenPath); | |||
There was a problem hiding this comment.
The static variable k8s_sa_token is now initialized from kRaySaTokenPath, which is the path to a Ray-specific token. To avoid confusion and improve clarity, please consider renaming k8s_sa_token to ray_sa_token and updating its usage within this function.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
andrewsykim
force-pushed
the
update-ray-token-path
branch
from
8c91a3a to
53253b8
Compare
ray-gardener
Bot
added
core
2 participants
Description
This PR updates the default service account token path for Raylet from
/var/run/secrets/kubernetes.io/serviceaccount/tokento/var/run/secrets/ray.io/serviceaccount/token. This is to avoid using the same token that would be used for Kubernetes API access.Raylet pods can be configured with additional audience-specific tokens using a feature called serviceAccountToken projected volumes. E.g.:
Related issues
Additional information