policy-reporter
policy-reporter copied to clipboard
kyverno
[UI] Policy Reporter UI Authentication Support via OpenID Connect
Configure an optional OpenID Connect Provider to enable Authentication for Policy Reporter UI
- Policy Reporter UI will only provide the API and configuration
- Possible Libraries
- https://github.com/coreos/go-oidc
- https://github.com/zitadel/oidc
FYI I used gogatekeeper to configure OIDC auth via Keycloak (in my case) It creates additional proxy-service with auth https://github.com/gogatekeeper/gatekeeper
Can we add option to include extra containers in the kyverno policy reporter UI deployment so that we can include oauth2 proxy container for OIDC or other authentication? Should be a very simple change to just allow setting extra containers and connection the kube service to the correct port in the helm chart .
It would be nice if auth was implemented via kubernetes impersonation. This way, consumers would be only allowed to see reports & policies they are allowed to see from a kubernetes RBAC perspective. I made an adapter for kubernetes-dashboard in there: https://github.com/aslafy-z/k8s-dashboard-impersonation-proxy
@fjogeleit Hi!
I have a question
Does kyverno UI have specific uri path to redirect auth requests to oidc?
Something like /oauth or /login etc
I have specific issue
I use gogatekeeper to secure UI using OIDC auth
When I try to open or download report I get nothing, but in developer mode I see that kyverno give me html docs, but gatekeeper break it via redirects
I'm trying to configure specific path to get auth when you open ui first time
And exclude from redirects /api/* path due to reports generates using this uri `/api/kyverno/policy-details-reporting*'
gatekeeper:
config:
resources:
- uri: /
methods:
- GET
- POST
- DELETE
- PUT
groups:
- admin
- uri: /api/*
white-listed: true
Do you have any thoughts how to get reports using secured ingress via gatekeeper?:)
Hi, the current v1 UI doesn't support any kind of direct authentication. The UI v2 which I am currently working on has integrated oidc support.
You can check https://github.com/kyverno/policy-reporter/tree/3.x and https://github.com/kyverno/policy-reporter/blob/3.x/docs/UI_AUTH.md for details.
Related to the docs, the open button fetches the report via API and creates an local ObjectURL to download / open the report. I assume that gogatekeeper can not handle this correctly.
Hello @fjogeleit ,
Do you know if oidc will allow you to select different groups tied back to a subset of clusters for access ?
For example it would be really nice to tie the groups to only see the clusters they have access to when creating a federated policy ui.
Hey, thanks for your feedback. In the current MVP a permission model is not included.
Main issue is that oicd nor oauth has an universal interface/api.
So I need to plan an actual implementation to
- get permissions from the provider or
- Define a custom configuration which would require additional work for the administrator
I don't mind helping with a PR :) as long as we agree on the implementation, Is there a larger issue tracking all that needs to be done for the new version ?
Does something like the following make sense?
clusters:
- name: External Cluster
api: https://policy-reporter.external.cluster
kyvernoApi: https://kyverno-plugin.external.cluster
username: username
password: password
secretRef: auth-secret
oidc: # optional, if you want to specify group level access
groups:
- some-group
Where would you configure the groups of an user? I assume with the respective provider and the challenge is to get this information from the provider because its not part of the oidc spec and differs for each provider.
Also requested is to be able to configure permissions for the different views.