Kubernetes Fury Auth
Overview
Kubernetes Fury Auth uses CNCF recommended, Cloud Native projects, such as the Dex identity provider, and Pomerium as an identity-aware proxy to enable secure access to internal applications.
Module's repository: https://github.com/sighupio/fury-kubernetes-auth
Packages
Kubernetes Fury Auth provides the following packages:
| Package | Description |
|---|---|
| Pomerium | Identity-aware proxy that enables secure access to internal applications. |
| Dex | Dex is a Federated OpenID Connect Provider. |
| Gangplank | Enable authentication flows via OIDC for a kubernetes cluster. |
Compatibility
| Kubernetes Version | Compatibility | Notes |
|---|---|---|
1.28.x | ✅ | No known issues. |
1.29.x | ✅ | No known issues. |
1.30.x | ✅ | No known issues. |
1.31.x | ✅ | No known issues. |
Check the compatibility matrix for additional information on previous releases of the modules.
Introduction: Authentication in Kubernetes
Authentication in Kubernetes is a critical component for securing cluster access and ensuring that only authorized users or services can perform specific actions. Kubernetes supports several authentication methods, including service accounts, bearer tokens, certificates, and external identity providers using OpenID Connect (OIDC). For organizations with complex identity requirements, integrating OIDC providers like Dex with advanced access management solutions like Pomerium offers a powerful, flexible approach to authentication and authorization.
OpenID Connect (OIDC)
OIDC is an identity layer built on top of the OAuth 2.0 protocol. It provides a secure and standardized way for users and services to authenticate using an identity provider (IdP). Kubernetes' support for OIDC enables seamless integration with external IdPs, making it easier to manage user identities and roles across multiple clusters. This method allows organizations to unify authentication across their tech stack, leveraging providers like Google, GitHub, or self-hosted solutions like Dex.
KFD: Authentication Module
The Authentication module provided by KFD is a comprehensive solution to protect applications inside the cluster with a number of options for different scenarios.
The module includes:
- Pomerium to enable secure access to internal applications without requiring application changes.
- Dex, an identity service that uses OpenID Connect to drive authentication for other apps.
- Gangplank to easily enable authentication flows via OIDC for a Kubernetes cluster.
If you don't want to use OIDC flows, you can also choose to have HTTP Basic Auth instead, which will add a user and password basic authentication to every Ingress provided by KFD.
This module can be configured in a number of different ways:
- Disabled
- HTTP Basic Auth for all KFD Ingress resources
- SSO with Pomerium + Dex for all KFD Ingress resources
- OIDC authentication for Kubernetes APIs using Gangplank + Pomerium + Dex (OnPremises only)
Note that the HTTP Basic Auth option still lets you configure OIDC authentication for Kubernetes (if you are installing KFD using the OnPremises provider): in this case Pomerium + Dex will only protect the Kubernetes APIs and not the KFD Ingresses, which will be protected with Basic Auth instead.
Pomerium
Pomerium is a modern, open-source identity-aware access proxy that extends the capabilities of OIDC by providing fine-grained access control, zero trust security, and simplified single sign-on (SSO) configurations. By acting as an intermediary between users and applications, Pomerium centralizes authentication while offering robust features like:
- Policy-Based Access Control: Define access rules based on user identity, group membership, or custom claims.
- Dynamic Access Management: Adapt policies to changing organizational needs without downtime.
If you choose sso as provider type inside your cluster configuration, Pomerium will protect all Ingresses provided by the distribution by default. You can also specify custom routes and policies, see more in Pomerium's docs.
Dex
Dex is an open-source OIDC identity provider designed to connect to various authentication backends, such as LDAP, Active Directory, SAML, and social login providers like Google or GitHub. It acts as a bridge between these identity sources and applications that require OIDC authentication. In a Kubernetes context, Dex simplifies authentication by enabling Kubernetes to leverage centralized identity management systems without directly integrating them into the cluster.
Dex generates OIDC tokens upon successful authentication, which Kubernetes can validate to authenticate users and determine their roles. Its modular architecture makes it highly extensible and adaptable to various deployment scenarios. By combining Dex with Pomerium, organizations can integrate their existing identity solutions into Kubernetes while benefiting from advanced access management. This approach ensures secure, scalable, and user-friendly authentication workflows for applications hosted inside Kubernetes clusters.
You can customize the Dex configuration inside your cluster to use any number of connectors and additional static clients, see more in Dex's docs.
Gangplank
Kubernetes supports OpenID Connect Tokens as a way to identify users who access the cluster.
Ganplank is an open-source application maintained by SIGHUP that provides an easy way to integrate OIDC authentication for Kubernetes APIs. Using Gangplank, you authenticate on its UI with your OIDC provider and it provides you a kubeconfig file that will be tied to your user. This way, you can also specify the permissions to be granted to each user by using standard Kubernetes RBAC.
Monitoring
KFD Auth module integrates out-of-the-box with KFD's Monitoring module, providing metrics and dashboards to visualize the status of its components.
In particular:
- Dex exposes standard Go adapter metrics, the metrics are automatically scrapped by Prometheus when using KFD Monitoring module but there are no Grafana dashboards nor alerts defined.
- Pomerium exposes several metrics about Pomerium itself and its underlying envoy proxy. Metrics are scrapped automatically by Prometheus and 2 Grafana dashboards are available with the
pomeriumtag when using KFD Monitoring module. Here are some screenshots:
