Skip to content

[core] Rework auth middleware #241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Dec 22, 2021
Merged

[core] Rework auth middleware #241

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ NOTE: As semantic versioning states all 0.y.z releases can contain breaking chan
- [#239](https://github.com/kobsio/kobs/pull/239): [azure] Cost Management drill-down on resource groups.
- [#238](https://github.com/kobsio/kobs/pull/238): [core] Refactor frontend code for plugins (change options handling, use `setDetails` instead of `showDetails` and rename plugins options in panels to `pluginOptions`).
- [#240](https://github.com/kobsio/kobs/pull/240): [core] Switch from `github.com/sirupsen/logrus` to `go.uber.org/zap` for logging and enrich log lines via `context.Context`.
- [#241](https://github.com/kobsio/kobs/pull/241): [core] :warning: _Breaking change:_ :warning: Rework authentication / authorization middleware and adjust the Custom Resource Definition for Users and Teams.

## [v0.7.0](https://github.com/kobsio/kobs/releases/tag/v0.7.0) (2021-11-19)

Expand Down
2 changes: 1 addition & 1 deletion deploy/helm/kobs/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,5 @@ description: Kubernetes Observability Platform
type: application
home: https://kobs.io
icon: https://kobs.io/assets/images/logo.svg
version: 0.8.3
version: 0.8.4
appVersion: v0.7.0
11 changes: 5 additions & 6 deletions deploy/helm/kobs/crds/kobs.io_teams.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,8 @@ spec:
type: array
description:
type: string
id:
type: string
links:
items:
properties:
Expand All @@ -145,7 +147,7 @@ spec:
type: string
permissions:
properties:
custom:
plugins:
items:
properties:
name:
Expand All @@ -154,13 +156,8 @@ spec:
x-kubernetes-preserve-unknown-fields: true
required:
- name
- permissions
type: object
type: array
plugins:
items:
type: string
type: array
resources:
items:
properties:
Expand All @@ -186,6 +183,8 @@ spec:
- plugins
- resources
type: object
required:
- id
type: object
type: object
served: true
Expand Down
63 changes: 53 additions & 10 deletions deploy/helm/kobs/crds/kobs.io_users.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,22 +31,66 @@ spec:
type: object
spec:
properties:
bio:
type: string
cluster:
type: string
email:
type: string
fullName:
type: string
id:
type: string
name:
type: string
namespace:
type: string
position:
type: string
permissions:
properties:
plugins:
items:
properties:
name:
type: string
permissions:
x-kubernetes-preserve-unknown-fields: true
required:
- name
type: object
type: array
resources:
items:
properties:
clusters:
items:
type: string
type: array
namespaces:
items:
type: string
type: array
resources:
items:
type: string
type: array
required:
- clusters
- namespaces
- resources
type: object
type: array
required:
- plugins
- resources
type: object
profile:
properties:
bio:
type: string
email:
type: string
fullName:
type: string
position:
type: string
required:
- email
- fullName
type: object
teams:
items:
properties:
Expand All @@ -61,9 +105,8 @@ spec:
type: object
type: array
required:
- email
- fullName
- id
- profile
type: object
type: object
served: true
Expand Down
6 changes: 3 additions & 3 deletions deploy/helm/kobs/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,10 @@ spec:
imagePullPolicy: {{ .Values.kobs.image.pullPolicy }}
args:
- --development={{ .Values.kobs.settings.development }}
- --api.auth.default-team={{ .Values.kobs.settings.auth.defaultTeam }}
- --api.auth.enabled={{ .Values.kobs.settings.auth.enabled }}
- --api.auth.header={{ .Values.kobs.settings.auth.header }}
- --api.auth.interval={{ .Values.kobs.settings.auth.interval }}
- --api.auth.header.teams={{ .Values.kobs.settings.auth.headerTeams }}
- --api.auth.header.user={{ .Values.kobs.settings.auth.headerUser }}
- --api.auth.session.interval={{ .Values.kobs.settings.auth.sessiontInterval }}
- --clusters.cache-duration.namespaces={{ .Values.kobs.settings.clustersCacheDurationNamespaces }}
- --log.format={{ .Values.kobs.settings.logFormat }}
- --log.level={{ .Values.kobs.settings.logLevel }}
Expand Down
15 changes: 12 additions & 3 deletions deploy/helm/kobs/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,16 +99,25 @@ kobs:
## Specify additional environment variables for the kobs container.
##
env: []
## For example the following can be used to set the token to sign the JWT token when authentication for kobs is
## enabled. In this example we are using the "KOBS_API_AUTH_SESSION_TOKEN" key from a secret named "kobs" (must be
## created manually) to set the "KOBS_API_AUTH_SESSION_TOKEN" environment variable.
##
# - name: KOBS_API_AUTH_SESSION_TOKEN
# valueFrom:
# secretKeyRef:
# name: kobs
# key: KOBS_API_AUTH_SESSION_TOKEN

## Specify some settings like log level, log format, etc. for kobs.
##
settings:
development: false
auth:
enabled: false
defaultTeam: ""
header: X-Auth-Request-Email
interval: 1h0m0s
headerTeams: X-Auth-Request-Groups
headerUser: X-Auth-Request-Email
sessiontInterval: 48h0m0s
clustersCacheDurationNamespaces: 5m
logFormat: console
logLevel: info
Expand Down
11 changes: 5 additions & 6 deletions deploy/kustomize/crds/kobs.io_teams.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,8 @@ spec:
type: array
description:
type: string
id:
type: string
links:
items:
properties:
Expand All @@ -145,7 +147,7 @@ spec:
type: string
permissions:
properties:
custom:
plugins:
items:
properties:
name:
Expand All @@ -154,13 +156,8 @@ spec:
x-kubernetes-preserve-unknown-fields: true
required:
- name
- permissions
type: object
type: array
plugins:
items:
type: string
type: array
resources:
items:
properties:
Expand All @@ -186,6 +183,8 @@ spec:
- plugins
- resources
type: object
required:
- id
type: object
type: object
served: true
Expand Down
63 changes: 53 additions & 10 deletions deploy/kustomize/crds/kobs.io_users.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,22 +31,66 @@ spec:
type: object
spec:
properties:
bio:
type: string
cluster:
type: string
email:
type: string
fullName:
type: string
id:
type: string
name:
type: string
namespace:
type: string
position:
type: string
permissions:
properties:
plugins:
items:
properties:
name:
type: string
permissions:
x-kubernetes-preserve-unknown-fields: true
required:
- name
type: object
type: array
resources:
items:
properties:
clusters:
items:
type: string
type: array
namespaces:
items:
type: string
type: array
resources:
items:
type: string
type: array
required:
- clusters
- namespaces
- resources
type: object
type: array
required:
- plugins
- resources
type: object
profile:
properties:
bio:
type: string
email:
type: string
fullName:
type: string
position:
type: string
required:
- email
- fullName
type: object
teams:
items:
properties:
Expand All @@ -61,9 +105,8 @@ spec:
type: object
type: array
required:
- email
- fullName
- id
- profile
type: object
type: object
served: true
Expand Down
8 changes: 7 additions & 1 deletion docs/configuration/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@

kobs hasn't any built in authentication mechanism. We recommend to run kobs behind a service like [OAuth2 Proxy](https://oauth2-proxy.github.io/oauth2-proxy/), which should handle the authentication of users.

## Permissions

If the authentication / authorization middleware for kobs is enabled via the `--api.auth.enabled` flag, we use the value from the `--api.auth.header.user` and `--api.auth.header.teams` header to authorize the user to access a plugin or Kubernetes resource. These headers should be set by a service like the OAuth2 Proxy like it is shown in the following examples.

The values from the headers are then used to get a [User CR](../resources/users.md) or a [Team CR](../resources/teams.md). If the user is part of multiple teams or when the permissions are set via the User CR and the Team CR, we merge all the permissions, so that the user can access all plugins and resources which are allowed for the user / teams.

## Examples

The following two examples show how you can setup kobs with an OAuth2 Proxy infront using the [NGINX Ingress Controller](https://kubernetes.github.io/ingress-nginx/) or [Istio](https://istio.io). Before you are looking into the examples, make sure you have setup your prefered [OAuth Provider](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider). We will use Google as our OAuth Provider in the following, which requires a Client ID and a Client Secret.
Expand Down Expand Up @@ -208,7 +214,7 @@ meshConfig:
service: oauth2-proxy.kobs.svc.cluster.local
port: "4180"
includeHeadersInCheck: ["authorization", "cookie"]
headersToUpstreamOnAllow: ["authorization", "x-auth-request-email"]
headersToUpstreamOnAllow: ["authorization", "x-auth-request-email", "x-auth-request-groups"]
```

The external authorizer is now ready to be used by the authorization policy.
Expand Down
9 changes: 6 additions & 3 deletions docs/configuration/getting-started.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,17 @@ The following command-line arguments and environment variables are available.
| `--api.address` | `KOBS_API_ADDRESS` | The address, where the API server is listen on. | `:15220` |
| `--api.auth.default-team` | `KOBS_API_AUTH_DEFAULT_TEAM` | The name of the team, which should be used for a users permissions when a user hasn't any teams. The team is specified in the following format: `cluster,namespace,name` | |
| `--api.auth.enabled` | | Enable the authentication and authorization middleware. | `false` |
| `--api.auth.header` | `KOBS_API_AUTH_HEADER` | The header, which contains the details about the authenticated user. More information can be found in the [Authentication](authentication.md) section. | `X-Auth-Request-Email` |
| `--api.auth.interval` | `KOBS_API_AUTH_INTERVAL` | The interval to refresh the internal users list and there permissions. | `1h0m0s` |
| `--api.auth.header.teams string` | `KOBS_API_AUTH_HEADER_TEAMS` | The header, which contains the team ids. | `X-Auth-Request-Groups` |
| `--api.auth.header.user string` | `KOBS_API_AUTH_HEADER_USER` | The header, which contains the user id. | `X-Auth-Request-Email` |
| `--api.auth.session.interval duration` | `KOBS_API_AUTH_SESSION_INTERVAL` | The interval for how long a session is valid. | `48h0m0s` |
| `--api.auth.session.token string` | `KOBS_API_AUTH_SESSION_TOKEN` | The token to encrypt the session cookie. | |
| `--app.address` | `KOBS_APP_ADDRESS` | The address, where the Application server is listen on. | `:15219` |
| `--app.assets` | `KOBS_APP_ASSETS` | The location of the assets directory. | `app/build` |
| `--clusters.cache-duration.namespaces` | `KOBS_CLUSTERS_CACHE_DURATION_NAMESPACES` | The duration, for how long requests to get the list of namespaces should be cached. | `5m` |
| `--config` | `KOBS_CONFIG` | Name of the configuration file. | `config.yaml` |
| `--development` | | Use development version | `false` |
| `--log.format` | `KOBS_LOG_FORMAT` | Set the output format of the logs. Must be `plain` or `json`. | `plain` |
| `--log.level` | `KOBS_LOG_LEVEL` | Set the log level. Must be `trace`, `debug`, `info`, `warn`, `error`, `fatal` or `panic`. | `info` |
| `--log.level` | `KOBS_LOG_LEVEL` | Set the log level. Must be `debug`, `info`, `warn`, `error`, `fatal` or `panic`. | `info` |
| `--metrics.address` | `KOBS_METRICS_ADDRESS` | The address, where the Prometheus metrics are served. | `:15221` |
| `--version` | | Print version information. | `false` |

Expand Down
6 changes: 3 additions & 3 deletions docs/installation/helm.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,9 +68,9 @@ helm upgrade --install kobs kobs/kobs
| `kobs.env` | Set additional environment variables for the kobs container. | `[]` |
| `kobs.settings.development` | Run kobs in development mode. | `false` |
| `kobs.settings.auth.enabled` | Enable the authentication and authorization middleware. | `false` |
| `kobs.settings.auth.defaultTeam` | The name of the team, which should be used for a users permissions when a user hasn't any teams. The team is specified in the following format: `cluster,namespace,name`. | `""` |
| `kobs.settings.auth.header` | The header, which contains the details about the authenticated user. | `X-Auth-Request-Email` |
| `kobs.settings.auth.interval` | The interval to refresh the internal users list and there permissions. | `1h0m0s` |
| `kobs.settings.auth.headerTeams` | The header, which contains the team ids. | `X-Auth-Request-Email` |
| `kobs.settings.auth.headerUser` | The header, which contains the user id. | `X-Auth-Request-Groups` |
| `kobs.settings.auth.sessiontInterval` | The interval for how long a session is valid. | `48h0m0s` |
| `kobs.settings.clustersCacheDurationNamespaces` | The duration for how long the list of namespaces for each cluster should be cached. | `5m` |
| `kobs.settings.logFormat` | Set the output format of the logs. Must be `console` or `json`. | `console` |
| `kobs.settings.logLevel` | Set the log level. Must be `debug`, `info`, `warn`, `error`, `fatal` or `panic`. | `info` |
Expand Down
Loading