Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Request] Kubernetes RBAC auth proxy #629

Open
grzesuav opened this issue Aug 30, 2024 · 4 comments
Open

[Request] Kubernetes RBAC auth proxy #629

grzesuav opened this issue Aug 30, 2024 · 4 comments
Labels
feat New feature or request

Comments

@grzesuav
Copy link

Current Behavior

I can configure cryistat only via basic auth

Expected Behavior

I want to use sth like openshift rbac - https://github.com/cryostatio/cryostat-operator/blob/cryostat-v3.0/config/crd/bases/operator.cryostat.io_cryostats.yaml#L4887 - to allow users with specific permission in kubernetes to execute actions against target Vm in given namespace

Steps To Reproduce

n/a

Environment

n/a

Anything else?

Keycloak was suggested in #622 (reply in thread) - it would be valuable for users to have some example in documentation
@grzesuav grzesuav added bug Something isn't working needs-triage Needs thorough attention from code reviewers labels Aug 30, 2024
@andrewazores andrewazores changed the title [Bug] User mapping for non-openshift (kubernetes) use case documentations [Request] Kubernetes RBAC auth proxy Aug 30, 2024
@andrewazores andrewazores added feat New feature or request and removed bug Something isn't working needs-triage Needs thorough attention from code reviewers labels Aug 30, 2024
@andrewazores
Copy link
Member

andrewazores commented Aug 30, 2024
edited
Loading

Keycloak might do the job, not entirely sure if it can drop in as a k8s auth proxy replacement but at the least it can be configured to have its own user accounts or to hook up to an external OAuth provider (just maybe not the cluster internal one?)

This sounds like it would do something similar: https://github.com/jwalton/kube-auth-proxy . But I'm not sure from reading this if it supports an OAuth interactive login flow for browser usage or if it is only meant for programmatic access like kube-rbac-proxy. I'm not even sure if generic Kubernetes' internal auth server supports interactive OAuth login flows, so supporting this feature on non-OpenShift might require connecting to a separate external OAuth provider.

@andrewazores andrewazores mentioned this issue Aug 30, 2024
Open
@andrewazores
Copy link
Member

andrewazores commented Aug 30, 2024
edited
Loading

@grzesuav in the meantime, along with #630, I would recommend you try something like this:

  1. Create Cryostat A in Namespace A, with Target Namespace A. Set up Basic auth with User A1, A2, ..., An for Team A to use. Only create these User accounts that correspond to users who have the create port-forward Role, or otherwise create just one User A and share the credentials for it with Team A members.
  2. Create Cryostat B in Namespace B with Target Namespace B. Set up Basic auth with User B1, B2, ..., Bn

@grzesuav
Copy link
Author

grzesuav commented Sep 5, 2024

got it, was hoping that this setup was already done by someone who can share its experience. Will try to figure out something, however I m usnure if I will have time to experiment with keycloack etc

@andrewazores
Copy link
Member

Please do share any findings you have, if you do find the time. We would really love to have a better authentication/authorization system for non-OpenShift users as well, but we have to make decisions where and how to focus our efforts, and OpenShift takes priority.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewazores @grzesuav