-
Notifications
You must be signed in to change notification settings - Fork 135
GKE: Restrict Oauth authentication by domain suffix #177
Conversation
And if you want to restrict inside a particular organisation who can and who cannot access Kibana/Prometheus, how does one do this? Also, it would be nice to update the OAuth2 component documentation to reflect this change (behaviour). Could you also please do that? |
I'm open to suggestions. oauth2-proxy supports domain restriction (as used here), and an explicit whitelist of usernames - and then it also has a bunch of provider-specific options, like "member of a google group" for Google. Any of that can be used/configured via jsonnet overlays. The question we're really interested in here is what should we do for the default/simple .. That was my thinking leading up to this specific PR. Very happy to entertain any alternative approaches. The immediate concern is that the current setup (email-domains=*) is not acceptable on GKE.
Yep. It's GKE-specific (as currently implemented). Shall I put that into the shared components doc, or a (yet to be written) gke-specific doc? |
Please document this in the |
With Google-based Oauth, we need to additionally restrict the user in some way - we don't want to allow just _any_ Google account to access the prometheus/kibana consoles. This change adds a flag to specify an email domain, and oauth2 proxy will only allow users from this domain. This flag is marked as *required* on GKE. NB: This effectively restricts kubeprod to only supporting GSuite accounts (@gmail.com is not useful), which is conceptually similar to the AKS setup which allows only members from a particular Azure tenant. Allowing a whitelist of specific (non-GSuite) Gmail accounts instead is probably desirable, but postponed for a future change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
By the way, this PR is not backwards compatible. It actually breaks existing BKPR deployments that had a This is what I get when I try to run
|
With Google-based Oauth, we need to additionally restrict the user in
some way - we don't want to allow just any Google account to access
the prometheus/kibana consoles.
This change adds a required flag to specify a Google email domain,
and oauth2 proxy will only allow Google users from this domain.
NB: This effectively restricts kubeprod to only supporting GSuite
accounts (@gmail.com is not useful), which is conceptually similar to
the AKS setup which allows only members from a particular Azure
tenant. Allowing a whitelist of specific (non-GSuite) Gmail accounts
instead is probably desirable, but postponed for a future change.