EsDmitrii
commented
1 year ago FYI I used gogatekeeper to configure OIDC auth via Keycloak (in my case) It creates additional proxy-service with auth https://github.com/gogatekeeper/gatekeeper
Open fjogeleit opened 1 year ago
EsDmitrii
commented
1 year ago FYI I used gogatekeeper to configure OIDC auth via Keycloak (in my case) It creates additional proxy-service with auth https://github.com/gogatekeeper/gatekeeper
fjogeleit
commented
1 year ago Hey, thanks for the hint, will check it out.
bsgrigorov
commented
12 months ago Can we add option to include extra containers in the kyverno policy reporter UI deployment so that we can include oauth2 proxy container for OIDC or other authentication? Should be a very simple change to just allow setting extra containers and connection the kube service to the correct port in the helm chart .
fjogeleit
commented
12 months ago I can have a look on it
aslafy-z
commented
9 months ago It would be nice if auth was implemented via kubernetes impersonation. This way, consumers would be only allowed to see reports & policies they are allowed to see from a kubernetes RBAC perspective. I made an adapter for kubernetes-dashboard in there: https://github.com/aslafy-z/k8s-dashboard-impersonation-proxy
fjogeleit
commented
9 months ago I’ll have a look, thanks for feedback.
EsDmitrii
commented
1 month ago @fjogeleit Hi!
I have a question
Does kyverno UI have specific uri path to redirect auth requests to oidc?
Something like /oauth or /login etc
I have specific issue
I use gogatekeeper to secure UI using OIDC auth
When I try to open or download report I get nothing, but in developer mode I see that kyverno give me html docs, but gatekeeper break it via redirects
I'm trying to configure specific path to get auth when you open ui first time
And exclude from redirects /api/* path due to reports generates using this uri `/api/kyverno/policy-details-reporting*'
gatekeeper:
config:
resources:
- uri: /
methods:
- GET
- POST
- DELETE
- PUT
groups:
- admin
- uri: /api/*
white-listed: trueDo you have any thoughts how to get reports using secured ingress via gatekeeper?:)
fjogeleit
commented
1 month ago Hi, the current v1 UI doesn't support any kind of direct authentication. The UI v2 which I am currently working on has integrated oidc support.
You can check https://github.com/kyverno/policy-reporter/tree/3.x and https://github.com/kyverno/policy-reporter/blob/3.x/docs/UI_AUTH.md for details.
Related to the docs, the open button fetches the report via API and creates an local ObjectURL to download / open the report. I assume that gogatekeeper can not handle this correctly.
Jeremy-Boyle
commented
2 weeks ago Hello @fjogeleit ,
Do you know if oidc will allow you to select different groups tied back to a subset of clusters for access ?
For example it would be really nice to tie the groups to only see the clusters they have access to when creating a federated policy ui.
fjogeleit
commented
2 weeks ago Hey, thanks for your feedback. In the current MVP a permission model is not included.
Main issue is that oicd nor oauth has an universal interface/api.
So I need to plan an actual implementation to
Jeremy-Boyle
commented
2 weeks ago I don't mind helping with a PR :) as long as we agree on the implementation, Is there a larger issue tracking all that needs to be done for the new version ?
Does something like the following make sense?
clusters:
- name: External Cluster
api: https://policy-reporter.external.cluster
kyvernoApi: https://kyverno-plugin.external.cluster
username: username
password: password
secretRef: auth-secret
oidc: # optional, if you want to specify group level access
groups:
- some-groupWhere would you configure the groups of an user? I assume with the respective provider and the challenge is to get this information from the provider because its not part of the oidc spec and differs for each provider.
Also requested is to be able to configure permissions for the different views.
Configure an optional OpenID Connect Provider to enable Authentication for Policy Reporter UI