This controller enhances target deployments and statefulsets with side-cars containers for performing oidc authentications and k8s rbac authorization for incoming http requests.
Usually applications such asprometheus do not offer any security mechanisms and delegate such responsibilities to cluster owners. This controller aims at providing a solution for bringing authentication (oauth2-proxy) and authorization (kube-rbac-proxy)
layers in front of the targeted workloads, simplifying required configurations in a consistent way.
Targets for enhancement are identified by using labels and/or namespaces selectors. For example
# OIDC Apps Extension Configuration for a k8s cluster
configuration:
oidcProviderConfig:
scope: "openid" # The default OIDC scope.
clientId: "nginx" # Client identifier in the oidc provider configuration.
oidcIssuerUrl: "https://oidc.provider.com" # OIDC issuer
domainName: "company.org" # Cluster wide domain, shared by all enhanced targets
# All deployments in the cluster with app=nginx label are enhanced by the oidc-app-controller
targets:
- name: nginx
labelSelector: # matching labels for the deployments
matchLabels:
app: nginx
targetPort: http # upstream port of the targeted container
targetProtocol: http # upstream protocol
ingress:
create: true
tlsSecretRef:
name: "ingress-wildcard-tls"
External dependencies:
Feedback and contributions are always welcome. Please report bugs or suggestions as GitHub issues or join our Slack channel #gardener (please invite yourself to the Kubernetes workspace here).
Please find further resources about out project here: