Access control¶
Group claims¶
This guide describes how to set up and make use of group claims for applications.
Note
This guide assumes your group claim name is groups
Kubernetes¶
To set up kubelogin to fetch and use groups make sure that your kubeconfig looks something like this.
users:
- name: user@my-cluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- oidc-login
- get-token
- --oidc-issuer-url=https://dex.my-cluster-domain.com
- --oidc-client-id=my-client-id
- --oidc-client-secret=my-client-secret
- --oidc-extra-scope=email,groups # Make sure groups are here
command: kubectl
Tips
Your token can be found in ~/.kube/cache/oidc-login/
.
This is useful if you're trying to debug your claims since you can just paste the token to jwt.io and check it.
Example:
$ ls ~/.kube/cache/oidc-login/
$ kubectl get pod
<log in>
$ ls ~/.kube/cache/oidc-login/
13b165965d8e80749ce3b8d442da3e4e9f5ff5e38900ef104eee99fde85a39d4
$ cat ~/.kube/cache/oidc-login/13b165965d8e80749ce3b8d442da3e4e9f5ff5e38900ef104eee99fde85a39d4 | jq -r .id_token
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2RleC5teS1jbHVzdGVyLWRvbWFpbi5jb20iLCJpYXQiOjE2MjE1MTUxNzcsImV4cCI6MTY1MzEzNzU3NywiYXVkIjoibXktY2xpZW50LWlkIiwic3ViIjoiSGlVUE92S1BKMmVwWUkwR1R1U0JYWGRxYTJTV2ZxRnc1ZjBXNVBQeThTWSIsIm5vdW5jZSI6IkNoVXhNRFk0TVRZNE1qRXpORFUzTURVM01ERXlNREFTQm1kdmIyZHNaUSIsImF0X2hhc2giOiI1aUZjbF9Sc1JvblhHekZaMU0xQ2JnIiwiZW1haWwiOiJ1c2VyQG15LWRvbWFpbi5jb20iLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJncm91cHMiOlsibXktZ3JvdXAtb25lIiwibXktZ3JvdXAtdHdvIl19.s65Aowfn6B1PiyQvRGPRu9KgX7G39nkLtx6yCAEElao
Copy the token to jwt.io and ensure that the payload includes the expected groups claim.
OpenSearch¶
To enable OpenSearch to use the groups for OpenSearch Dashboards access.
opensearch:
sso:
scope: "... groups" # Add groups to existing
extraRoleMappings:
- mapping_name: kibana_user
definition:
backend_roles:
- my-group-name
- mapping_name: kubernetes_log_reader
definition:
backend_roles:
- my-group-name
Harbor¶
Set correct group claim name since the default scopes includes groups already. This groups can be assigned to projects or as admin group.
harbor:
oidc:
groupClaimName: groups
Note
When OIDC (e.g. DeX) is enabled we cannot create static users using the Harbor web interface. But when anyone logs in via DeX they automatically get a user and we can promote that user to admin. Once there is one admin, they can set specific permissions for other users (there should be at least a few users promoted to admins).
Grafana¶
OPS Grafana¶
prometheus:
grafana:
oidc:
enabled: true
userGroups:
grafanaAdmin: my-admin-group
grafanaEditor: my-editor-group
grafanaViewer: my-viewer-group
scopes: ".... groups" # Add groups to existing
allowedDomains:
- my-domain.com
User Grafana¶
user:
grafana:
oidc:
scopes: "... groups" # Add groups to existing
allowedDomains:
- my-domain.com
userGroups:
grafanaAdmin: my-admin-group
grafanaEditor: my-editor-group
grafanaViewer: my-viewer-group
Users onboarding¶
This describes how to configure Compliant Kubernetes with the Application Developers who should be OpenSearch, Grafana or Harbor Administrators.
OpenSearch¶
This is configured via sc-config.yaml
opensearch:
extraRoleMappings:
# Application developer access
- mapping_name: kibana_user
definition:
users:
- user@domain.tld
# Extra permissions for Application developer
- mapping_name: kubernetes_log_reader
definition:
users:
- user@domain.tld
- mapping_name: alerting_ack_alerts
definition:
users:
- user@domain.tld
- mapping_name: alerting_read_access
definition:
users:
- user@domain.tld
- mapping_name: alerting_full_access
definition:
users:
- user@domain.tld
# Administrator access
- mapping_name: all_access
definition:
users:
- user@domain.tld
backend_roles:
- group@domain.tld
Grafana¶
-
Application Developer logs in to Grafana via OpenID
-
Administrator logs in to Grafana via static admin user.
Note
To get the static admin username and password you need to have access to the SC cluster and then run
kubectl get secret user-grafana -n monitoring -o json | jq '.data | map_values(@base64d)'
-
Administrator promotes the OpenID user to Grafana admin at
grafana.domain.tld/admin/users
Harbor¶
-
Application Developer logs in to Harbor via OpenID
-
Administrator logs in to Harbor via static admin user.
Note
To get the static admin username and password you need to have access to the SC cluster and then run
kubectl get secret harbor-init-secret -n harbor -o json | jq '.data."harbor-password"'
Username is: admin
-
Administrator promotes the OpenID user to Harbor admin at
grafana.domain.tld/harbor/users