Replies: 2 comments
-
Hi @steadyk, I'm not the most informed person on this topic but I'll try to answer your question. For all the different auth strategies, Kiali assumes that it will be given a token that it can use to directly communicate with the Kubernetes api server. In the kiali/business/authentication/openid_auth_controller.go Lines 1379 to 1390 in d91b83b Istio auth policies can help limit what users can talk to Kiali itself but can't limit what Kiali shows to users once they access Kiali. For that, Kiali needs a token that it can use to talk to the kubernetes api server. Today you have a couple of options:
There's been some talk in the past of having the list of namespaces the user has access to passed in through an identity claim. If this were implemented it might work well with your use case/constraints and the security features istio already offers. Hope that helps. |
Beta Was this translation helpful? Give feedback.
-
Hi @nrfox, thanks for taking the time to answer these questions!
Since we do not have a Kubernetes OpenID connect integration in our clusters, our hope was to use the received token together with an Istio AuthorizationPolicy to restrict the access based on the roles in the token. At least for a general allow/deny to the whole Kiali UI. Our rather simple assumption was something like that:
But we were not able to see any access to the Keycloak token endpoint in the browser console (maybe that traffic is somehow hidden?). So probably since we use
That's a valid hint. Indeed this will only helps to allow/deny the access to Kiali UI in general, not to certain workloads etc. To achieve this an alternative could be to use multiple Kiali instances for different domains.
That sounds like a possible approach. Although since we do not have a OpenID connect integration in our clusters, RBAC with Kiali might not work, but we could at least allow/deny access to the whole UI. We might take a deeper look into that later on. Thanks!
That's the way we use it at the moment. Our Keycloak setup currently just performs authentication but no authorization. This will be done by the client applications based on the roles in the JWT. Since we currently using a cluster-wide Kiali with basic Keycloak authentication, we just discover our options on how to restrict the access to certain users. Thanks for your suggestions! :-) |
Beta Was this translation helpful? Give feedback.
-
Hi all,
this a question about whether a certain approach to authorization for access to the Kiali UI is doable and reasonable.
We are currently using Kiali in a Kubernetes cluster with Keycloak and authorization strategy OpenID connect.
Currently we have only authentication for the Kiali UI. We would like to implement authorization based on user roles from our LDAP via Keycloak.
The approach with OpenID integration in Kubernetes and namespace access control, as described in the documentation, doesn't seem to be useful for us, because this would require massive changes in our platform.
So we decided to try handling authorization with Istio AuthorizationPolicies and Keycloak. As far as we understood, Kiali is using authorization code flow. We checked the communication between Kiali and Keycloak and saw the authorization code, but no JWT token afterwards. In the Istio proxy logs we only saw
Jwt is missing
.We started looking at the code and also found an issue where the phasing out of JWTs was discussed. So we are unsure whether JWTs are currently used anymore in Kiali.
So our question is: Is the approach of using Istio AuthorizationPolicies to authorize users based on roles from LDAP over Keycloak reasonable/possible?
Based on the answer we would decide whether to explore this further or try another approach.
Thanks in advance for your time.
Beta Was this translation helpful? Give feedback.
All reactions