Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication Subsystem #60

Closed
BugRoger opened this issue Sep 26, 2017 · 4 comments
Closed

Authentication Subsystem #60

BugRoger opened this issue Sep 26, 2017 · 4 comments
Labels
enhancement

Comments

@BugRoger
Copy link
Contributor

There needs to be two Openstack roles:

  1. kubernikus_admin
  2. kubernikus_member

Generate certificates that use the principal from the Keystone token as username (CN). Depending on the Openstack the certificates organisation field is set to:

  1. kubernikus:admins
  2. kubernikus:members

This allows us to identify the user and her Openstack role. Then we preseed an RBAC rules into the customer's clusters, that add thekubernikus:admins group to system:masters (or the same roles).

In turn this also allows the customer to create their own RBAC rules for the kubernikus:members group. Management of who is allowed to access the Kluster is then possible using the usual Openstack role assignments.

Revocation of the certificates is being handled by lowering the certificates expiration time. Suggestion would be 30d as default. This can be configured by the customer and adjusted to his security needs.

With 1.8 it will be possible to create plugins for kubectl. It will then be trivially easy to automate the certificate renewal similar to monsoonctl using a plugin.
@BugRoger
Copy link
Contributor Author

BugRoger commented Oct 7, 2017

Plugin created: kubernikusctl credentials

@databus23
Copy link
Member

databus23 commented Oct 11, 2017
edited
Loading

The bulk of this ticket is hopefully implemented by e2369ec.

the /api/v1/cluster/:name/credentials endpoint now returns certificates that are valid for 24 hours only. The Organization part of the certificate subject now contains all the roles associated with the token (and therefore roles the user has the clusters openstack project). This allows to bind open stack roles to kubernetes RBAC definitions.
We now seed one ClusterRoleBinding when creating the kluster giving the user cluster-admin permissions when he has the openstack kubernetes_admin role.
More fine-grained settings with other open stack roles can be set up by the enduser.

I like it! :)

@BugRoger
Copy link
Contributor Author

Missing docs and final touches on kubernikusctl download

@stale
Copy link

stale bot commented Nov 25, 2017

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Nov 25, 2017
@stale stale bot closed this as completed Dec 2, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BugRoger @databus23