Think about authentication and identity management

vmware-archive / kubeless-ui

Graphical User Interface for Kubeless

Apache License 2.0

417 stars 75 forks source link

Think about authentication and identity management #2

Open sebgoa opened 7 years ago

sebgoa commented 7 years ago

We need to think about authentication for this.

The k8s dashboard might give us some ideas.

The coreOS dex project might be useful as well.

sebgoa commented 7 years ago

Does it make sense to use Auth0

remstos commented 7 years ago

For which part would you need authentication?

sebgoa commented 7 years ago

That's the bit I am not sure yet:

I think the UI should be tied to the k8s cluster auth (so for instance if we were using coreOS dex, we could use social login in the k8s cluster and same in kubeless UI). then with RBAC setup in k8s, folks would only deploy functions where they are allowed to. But forcing folks to deploy Dex might be too much.
the functions themselves will need some type of auth, but that's not really a UI issue.

If we were to use Auth0 for auth/authz to the UI, I think (current understanding of Auth0) that we would be tied to a single application. All users of kubeless (as in worldwide on different clusters) would authenticate via the same Auth0 app.

serverlessnomad commented 6 years ago

I would also advocate for adding authentication. I deployed the UI after standing up a cluster via Stackpoint only to find it open to the world and having to take it down. I'll be looking for an alternative way to leverage the UI because I like the utility of it, bit having some auth in front would be good. Is the expectation that the UI sits only on an internal network and would never be accessed over the Internet?

sebgoa commented 6 years ago

The problem is that to create a function through the UI, one needs to pass its k8s creds somehow otherwise the service account running the UI needs "cluster wide" access.

This is the same issue as the k8s dashboard

sebgoa commented 6 years ago

Godo wiki doc here: https://github.com/kubernetes/dashboard/wiki/Access-control

thoughtentity commented 6 years ago

Definitely, would like to see Open ID Connect support. It is one of the natively supported authentication strategies in Kubernetes that supports external identity provider logins (Auth0, Google and GitHub among others). Kubernetes's Dashboard is tacking support in kubernetes/dashboard#2353, however, they're waiting for some APIs to land in Core in order to query the configured authentication strategies in Kubernetes.

As far as being secure out of the box. I'd recommend changeing the service type to ClusterIP and just using kubectl proxy to open a secure channel into the cluster. Then access kubeless-ui using the service proxy URL over localhost:8001 (http://localhost:8001/api/v1/proxy/namespaces/kubeless/services/ui:ui-port/). The Kubernetes Dashboard uses a similar strategy.

sebgoa commented 6 years ago

@thoughtentity yes good points.

We are actually re-writing a kubeless UI in kubeapps: https://github.com/kubeapps/kubeapps . the dashboard is indeed opened via a proxy connection, plus we are starting to align with the k8s dashboard auth strategies:

https://github.com/kubeapps/kubeapps/issues/199

PR welcome on any projects to move in the right direction :)