Introduction
Kubepass is a robust single sign-on (SSO) solution tailored specifically for Kubernetes environments. It simplifies user authentication and authorization processes within Kubernetes clusters, enabling users to access multiple applications seamlessly using a unified set of credentials. Kubepass offers a comprehensive authentication framework, supporting various methods including social logins and multi-factor authentication (MFA).
Authentication Challenges
In Kubernetes ecosystems, applications often fall into distinct categories based on their authentication mechanisms:
- Applications without Built-in Authentication: Certain applications, such as Prometheus UI and Kibana (OSS) dashboard, lack their own authentication mechanisms. Kubepass seamlessly integrates with these applications, providing robust authentication and access control without the need for additional authentication layers.
- Applications with Optional or Proxy-Based Authentication: Some applications, such as Jenkins, Grafana and Kubernetes Dashboard feature built-in authentication mechanisms that can be disabled or augmented with proxy-based authentication. Kubepass adeptly manages these scenarios, allowing users to configure authentication settings flexibly according to their requirements.
- Applications Supporting OIDC: Other applications, such as Argo CD leverage OpenID Connect (OIDC) for authentication. Kubepass extends its support to these applications, facilitating seamless integration and authentication through OIDC client ID and client secret generation.
Kubepass serves as a unified authentication solution for Kubernetes environments, offering unparalleled flexibility and compatibility across diverse application types. By streamlining authentication processes and centralizing access management, Kubepass empowers users to enhance security and streamline operations within their Kubernetes clusters effortlessly
Concepts
Kubepass streamlines access management within Kubernetes clusters by introducing two fundamental components: Bookmarks and SecureApps.
- Bookmarks: Bookmarks serve as straightforward links to external resources such as GitHub repositories or documentation pages. They enable users to easily navigate to relevant external content.
- SecureApps: SecureApps are Kubernetes-native objects designed to provide authentication and authorization services for applications running within the cluster. They offer two primary authentication mechanisms: Single Sign-On (SSO) and Proxy-based authentication.
- SSO Authentication: When SSO authentication is selected for a SecureApp, Kubepass generates an OpenID Connect (OIDC) client ID and client secret, facilitating seamless authentication for the underlying application.
- Proxy-based Authentication: Alternatively, users can opt for Proxy-based authentication, where Kubepass injects a sidecar container into the underlying pods. This sidecar container handles authentication and authorization tasks on behalf of the application, ensuring secure access without the need for additional configuration within the application itself.