gerhard
commented
1 year ago WDYT @smira @andrewrynhard ?
Closed gerhard closed 1 year ago
gerhard
commented
1 year ago WDYT @smira @andrewrynhard ?
smira
commented
1 year ago There are specific trade-offs between having better security and better UX. Omni was designed around better security.
Every API request to Omni, whether it's frontend or omnictl, is signed by a client private key which needs to be refreshed every 8 hours.
Kubernetes API unfortunately doesn't support request signatures, so it's using expiring JWT token.
So there are roughly three login points, each with 8 hours session timeout iirc. Certainly increasing session timeout is an option, but it will affect security. Our next step is going to be adding support for hardware tokens for auth (YubiKey, etc.)
gerhard
commented
1 year ago Any chance of making this timeout configurable, maybe on a per account basis?
gerhard
commented
1 year ago I have been using the CLI tools less in recent weeks, no longer an issue for me.
Problem Description
I need to log in multiple times per day in the browser, when using
omnictlandkubectl. This was bearable for the first two weeks of using Omni on an almost daily basis, but now it feels that I cannot do anything without needing to log in first.If I am aware of how many times I need to log in during a day (it's at least
6by the way), then the friction is too great.Solution
The ideal session timeout looks like GitHub &
gh. I cannot remember the last time that I had to log in.I don't remember K8s login being noticeable with any of the other managed K8s services.
Could I have the same with Omni please?
Alternative Solutions
Integrate with 1Password.
Notes
No response