Workload Overview

Workload Identity

As of the 0.42 release of DGX Cloud Lepton, all workloads (Dev Pods, Batch, Endpoints) project an identity token into the workload containers. The projected token can be used to authenticate the workload to common services in major cloud providers (for example, AWS, GCP, Azure) through workload federation.

The procedures for federating identity with each cloud vendor vary slightly and are described below. Most cloud vendors provide Terraform or other automation methods for setting up the federation. Consult your cloud provider documentation for detailed information.

The key piece of information needed for any federation is the location of the public keys used by DGX Cloud Lepton to sign the tokens projected into workloads. This location is known as the OIDC Provider URL. The OIDC Provider URL can be found in the DGX Cloud Lepton dashboard on the Nodes -> <NodeGroup> page.

Token

Within the workload, the token is mapped to the file /var/run/secrets/kubernetes.io/serviceaccount/token and /run/secrets/kubernetes.io/serviceaccount/token. Workload applications can use this token for authentication.

An example token (decoded) looks like this:

A couple of notable features in the token are worth pointing out:

1. Currently, the only audience (aud) available is https://kubernetes.default.svc. All federations should be configured to accept this audience as the allowed audience.
2. The Kubernetes namespace is always ws- followed by the DGX Cloud Lepton workspaceID.
3. The Kubernetes service account (SA) is always default.
4. The sub field is the identity utilized for federation.

Refer to the following sections for details on federating DGX Cloud Lepton with your cloud provider.