kubernetes-client
Add optional `host` to `KubernetesServiceConnection`
What is the feature and why do you need it:
I’m running Authentik with Istio, and I’ve configured Istio to block all outbound traffic from Authentik except explicitly allowed destinations. However, the outpost_service_connection_monitor component connects to the Kubernetes API using an IP address by default, which makes it difficult to configure Istio rules.
If the KubernetesServiceConnection class provided an optional host field that could be used like this:
config.host = connection.host
it would allow the use of a hostname such as https://kubernetes.default.svc, making it much easier to configure Istio to permit access to the Kubernetes API.
Describe the solution you'd like to see:
Add an optional host field to KubernetesServiceConnection and use it to override the default API endpoint when initializing the Kubernetes client.
KubernetesServiceConnection cannot be found in this repo, where do you see it?
Right now we have this code
https://github.com/goauthentik/authentik/blob/e9c2e10828c3e2949a6dfc7cffb04ccb4e0b7087/authentik/outposts/controllers/kubernetes.py#L41
class KubernetesClient(ApiClient, BaseClient):
"""Custom kubernetes client based on service connection"""
def __init__(self, connection: KubernetesServiceConnection):
config = Configuration()
try:
if connection.local:
load_incluster_config(client_configuration=config)
else:
load_kube_config_from_dict(connection.kubeconfig, client_configuration=config)
config.verify_ssl = connection.verify_ssl
super().__init__(config)
except ConfigException as exc:
raise ServiceConnectionInvalid(exc) from exc
I propose to add host for connection and add
config.verify_ssl = connection.verify_ssl # existing code
if connection.host is not None:
config.host = connection.host # new code
super().__init__(config) # existing code