Awesome
<!-- markdownlint-disable MD033 --> <h1> <img src="https://github.com/sighupio/fury-distribution/blob/main/docs/assets/fury-epta-white.png?raw=true" align="left" width="90" style="margin-right: 15px"/> Kubernetes Fury Auth </h1> <!-- markdownlint-enable MD033 --><!-- <KFD-DOCS> -->
Kubernetes Fury Auth provides Authentication Management for Kubernetes Fury Distribution (KFD).
If you are new to KFD please refer to the official documentation on how to get started with the distribution.
Overview
Kubernetes Fury Auth uses CNCF recommended, Cloud Native projects, such as the Dex identity provider, and Pomerium as an identity-aware proxy to enable secure access to internal applications.
Packages
Kubernetes Fury Auth provides the following packages:
Package | Version | Description |
---|---|---|
Pomerium | v0.27.1 | Identity-aware proxy that enables secure access to internal applications. |
Dex | v2.41.1 | Dex is a Federated OpenID Connect Provider. |
Gangplank | v1.1.0 | Enable authentication flows via OIDC for a kubernetes cluster. |
Compatibility
Kubernetes Version | Compatibility | Notes |
---|---|---|
1.28.x | :white_check_mark: | No known issues. |
1.29.x | :white_check_mark: | No known issues. |
1.30.x | :white_check_mark: | No known issues. |
1.31.x | :white_check_mark: | No known issues. |
Check the compatibility matrix for additional information on previous releases of the modules.
Usage
[!NOTE] Instructions below are for deploying the module using furyctl legacy, that required manual intervention.
Latest versions of furyctl automate the whole process and it is recommended to use the latest version of furyctl instead.
Prerequisites
Tool | Version | Description |
---|---|---|
furyctl | >=0.6.0 | The recommended tool to download and manage KFD modules and their packages. To learn more about furyctl read the official documentation. |
kustomize | >=3.5.0 | Packages are customized using kustomize . To learn how to create your customization layer with kustomize , please refer to the repository. |
Deployment with legacy furyctl
- List the packages you want to deploy and their version in a
Furyfile.yml
:
versions:
auth: "v0.3.0"
bases:
- name: auth/pomerium
- name: auth/dex
- name: auth/gangplank
See
furyctl
documentation for additional details aboutFuryfile.yml
format.
-
Execute
furyctl vendor -H
to download the packages -
Inspect the download packages under
./vendor/katalog/auth/
. -
Define a
kustomization.yaml
that includes the./vendor/katalog/auth
directory as a resource.
resources:
- ./vendor/katalog/auth/pomerium
- ./vendor/katalog/auth/dex
- ./vendor/katalog/auth/gangplank
- Create the configuration file for Dex (here's an LDAP-based example) and add it as a secret to the
kustomization.yaml
file, like this:
secretGenerator:
- name: dex
namespace: kube-system
files:
- config.yml=./secrets/dex/config.yml
ℹ️ read more on Dex's readme.
⛔️ Before proceeding, follow the instructions in Pomerium's package readme and Gangplank's readme to configure them.
- Finally, to deploy the module to your cluster, execute:
kustomize build . | kubectl apply -f -
Monitoring
KFD Auth module integrates out-of-the-box with KFD's Monitoring module. Providing metrics and dashboards to visualize the status of its components.
In particular:
- Dex exposes standard Go adapter metrics, the metrics are automatically scrapped by Prometheus when using KFD Monitoring module but there are no Grafana dashboards nor alerts defined.
- Pomerium exposes several metrics about Pomerium itself and its underlying envoy proxy. Metrics are scrapped automatically by Prometheus and 2 Grafana dashboards are available with the
pomerium
tag when using KFD Monitoring module. Here are some screenshots:
<a href="docs/images/screenshots/pomerium-dashboard.png"><img src="docs/images/screenshots/pomerium-dashboard.png" width="250"/></a> <a href="docs/images/screenshots/pomerium-envoy-dashboard.png"><img src="docs/images/screenshots/pomerium-envoy-dashboard.png" width="250"/></a>
<!-- markdownlint-enable MD033 -->Screenshots
<!-- markdownlint-disable MD033 -->- Dex Login:
<a href="docs/images/screenshots/dex.png"><img src="docs/images/screenshots/dex.png" width="250"/></a>
- Pomerium 403 not authorized error screen:
<a href="docs/images/screenshots/pomerium-403.png"><img src="docs/images/screenshots/pomerium-403.png" width="250"/></a>
- Pomerium user profile screen:
<a href="docs/images/screenshots/pomerium-userprofile.png"><img src="docs/images/screenshots/pomerium-userprofile.png" width="250"/></a>
<!-- markdownlint-enable MD033 --> <!-- Links --> <!-- </KFD-DOCS> --> <!-- <FOOTER> -->Contributing
Before contributing, please read first the Contributing Guidelines.
Reporting Issues
In case you experience any problems with the module, please open a new issue.
License
This module is open-source and it's released under the following LICENSE
<!-- </FOOTER> -->