-
Notifications
You must be signed in to change notification settings - Fork 702
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add design proposal for sso without oidc api server. (#2145)
- Loading branch information
1 parent
953e410
commit d0f03f0
Showing
1 changed file
with
11 additions
and
0 deletions.
There are no files selected for viewing
11 changes: 11 additions & 0 deletions
11
docs/architecture/design-proposals/sso-without-oidc-api-server.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# Supporting SSO without requiring K8s API server oidc configuration | ||
|
||
We’ve recently demonstrated Kubeapps running in different environments configured with single-sign-on such that users can deploy to multiple worker clusters. Though this works very well, it is only possible because we can control the --oidc-* arguments to the workload clusters’ api server configuration, enabling the api server to trust the same OIDC identity provider (eg. Dex) that Kubeapps trusts. | ||
|
||
In other environments, including but not restricted to Tanzu Mission Control, we do not have the ability to specify --oidc-* arguments for clusters and therefore do not have a way to enable user credentials to be trusted by the Kubernetes api server. Often these environments do not allow customization of the cluster authentication. For example, the cluster authentication configured by TMC requires an API token (created via tmc login) to use the TMC API to generate a short-lived token (via tmc cluster generate-token-v2) which is used to authenticate with the K8s API server. This works for the kubectl integration but is not usable for user authentication in a web app resulting in a credential for use with the API server. The scenario is similar for other managed Kubernetes platforms. | ||
|
||
Recently the [VMware Pinniped project](https://github.com/vmware-tanzu/pinniped) was announced which “allows cluster administrators to easily plug in external identity providers (IDPs) into Kubernetes clusters”, importantly, without needing to do so at cluster creation time. This appears to provide an opportunity for a user credential obtained via a web login with an identity provider to be exchanged for a credential for use with the K8s API server, which Kubeapps requires. It is important to note that the current focus of the Pinniped team is for kubectl CLI integration supporting a variety of external identity providers - not web app authentication - but they are open to discussing future web app auth support. | ||
|
||
## Design overview and discussion | ||
|
||
You can read and comment on the design doc for [Kubeapps with Pinniped for Auth](https://docs.google.com/document/d/1Sqhq_JIfb7M3K5RloV4T2itznu56EDJm_PEz2yrPk1E/edit#). |