Open sebgoa opened 7 years ago
For which part would you need authentication?
That's the bit I am not sure yet:
If we were to use Auth0 for auth/authz to the UI, I think (current understanding of Auth0) that we would be tied to a single application. All users of kubeless (as in worldwide on different clusters) would authenticate via the same Auth0 app.
I would also advocate for adding authentication. I deployed the UI after standing up a cluster via Stackpoint only to find it open to the world and having to take it down. I'll be looking for an alternative way to leverage the UI because I like the utility of it, bit having some auth in front would be good. Is the expectation that the UI sits only on an internal network and would never be accessed over the Internet?
The problem is that to create a function through the UI, one needs to pass its k8s creds somehow otherwise the service account running the UI needs "cluster wide" access.
This is the same issue as the k8s dashboard
Godo wiki doc here: https://github.com/kubernetes/dashboard/wiki/Access-control
Definitely, would like to see Open ID Connect
support. It is one of the natively supported authentication strategies in Kubernetes that supports external identity provider logins (Auth0
, Google
and GitHub
among others). Kubernetes's Dashboard
is tacking support in kubernetes/dashboard#2353, however, they're waiting for some APIs to land in Core in order to query the configured authentication strategies in Kubernetes.
As far as being secure out of the box. I'd recommend changeing the service type to ClusterIP
and just using kubectl proxy
to open a secure channel into the cluster. Then access kubeless-ui
using the service proxy URL over localhost:8001
(http://localhost:8001/api/v1/proxy/namespaces/kubeless/services/ui:ui-port/
). The Kubernetes Dashboard uses a similar strategy.
@thoughtentity yes good points.
We are actually re-writing a kubeless UI in kubeapps: https://github.com/kubeapps/kubeapps . the dashboard is indeed opened via a proxy connection, plus we are starting to align with the k8s dashboard auth strategies:
https://github.com/kubeapps/kubeapps/issues/199
PR welcome on any projects to move in the right direction :)
We need to think about authentication for this.
The k8s dashboard might give us some ideas.
The coreOS dex project might be useful as well.