Awesome

<h1> <img src="https://github.com/sighupio/fury-distribution/blob/main/docs/assets/fury-epta-white.png?raw=true" align="left" width="90" style="margin-right: 15px"/> Kubernetes Fury Auth </h1>

License

Kubernetes Fury Auth provides Authentication Management for Kubernetes Fury Distribution (KFD).

If you are new to KFD please refer to the official documentation on how to get started with the distribution.

Overview

Kubernetes Fury Auth uses CNCF recommended, Cloud Native projects, such as the Dex identity provider, and Pomerium as an identity-aware proxy to enable secure access to internal applications.

Packages

Kubernetes Fury Auth provides the following packages:

Package	Version	Description
Pomerium	`v0.27.1`	Identity-aware proxy that enables secure access to internal applications.
Dex	`v2.41.1`	Dex is a Federated OpenID Connect Provider.
Gangplank	`v1.1.0`	Enable authentication flows via OIDC for a kubernetes cluster.

Compatibility

Kubernetes Version	Compatibility	Notes
`1.26.x`	:white_check_mark:	No known issues.
`1.27.x`	:white_check_mark:	No known issues.
`1.28.x`	:white_check_mark:	No known issues.
`1.29.x`	:white_check_mark:	No known issues.

Check the compatibility matrix for additional information on previous releases of the modules.

Usage

Prerequisites

Tool	Version	Description
furyctl	`>=0.6.0`	The recommended tool to download and manage KFD modules and their packages. To learn more about `furyctl` read the official documentation.
kustomize	`>=3.5.0`	Packages are customized using `kustomize`. To learn how to create your customization layer with `kustomize`, please refer to the repository.

Deployment with legacy furyctl

List the packages you want to deploy and their version in a Furyfile.yml:

versions:
  auth: "v0.3.0"
bases:
  - name: auth/pomerium
  - name: auth/dex
  - name: auth/gangplank

See furyctl documentation for additional details about Furyfile.yml format.

Execute furyctl vendor -H to download the packages
Inspect the download packages under ./vendor/katalog/auth/.
Define a kustomization.yaml that includes the ./vendor/katalog/auth directory as a resource.

resources:
  - ./vendor/katalog/auth/pomerium
  - ./vendor/katalog/auth/dex
  - ./vendor/katalog/auth/gangplank

Create the configuration file for Dex (here's an LDAP-based example) and add it as a secret to the kustomization.yaml file, like this:

secretGenerator:
  - name: dex
    namespace: kube-system
    files:
      - config.yml=./secrets/dex/config.yml

ℹ️ read more on Dex's readme.

⛔️ Before proceeding, follow the instructions in Pomerium's package readme and Gangplank's readme to configure them.

Finally, to deploy the module to your cluster, execute:

kustomize build . | kubectl apply -f -

Monitoring

KFD Auth module integrates out-of-the-box with KFD's Monitoring module. Providing metrics and dashboards to visualize the status of its components.

In particular:

Dex exposes standard Go adapter metrics, the metrics are automatically scrapped by Prometheus when using KFD Monitoring module but there are no Grafana dashboards nor alerts defined.
Pomerium exposes several metrics about Pomerium itself and its underlying envoy proxy. Metrics are scrapped automatically by Prometheus and 2 Grafana dashboards are available with the pomerium tag when using KFD Monitoring module. Here are some screenshots:

Screenshots

Dex Login:

Pomerium 403 not authorized error screen:

Pomerium user profile screen:

Contributing

Before contributing, please read first the Contributing Guidelines.

Reporting Issues

In case you experience any problems with the module, please open a new issue.

License

This module is open-source and it's released under the following LICENSE