kubeapps icon indicating copy to clipboard operation
kubeapps copied to clipboard
verified publisher icon vmware-tanzu

Disable login screen when authenticating with an external reverse proxy

Open mlbiam opened this issue 2 years ago • 5 comments

Summary provide a flag that bypasses login when a token is present in the Authorization header

Background and rationale I've integrated KubeApps with OpenUnison's reverse proxy, which injects a token that is accepted by the API server, instead of the bundled oauth2-proxy. I didn't integrate via the oauth2 proxy because it doesn't handle very short lived tokens (1 min) well and so each page was refreshing the authentication back to OpenUnison's identity provider. Integrating this way lets me inject a short lived (1 min) token that the API server will recognize without having to get a new token via OIDC every minute and without having to deal with refresh tokens.

While the setup with OpenUnison works, I'm presented with a login screen asking for a token. providing any value bypasses this screen without issue. (this isn't a security issue, because the token thats injected into the header is used). Setting authProxy.skipKubeappsLoginPage to true has no impact (probably because authPRoxy.enabled is false

This request is similar to how the Kubernetes Dashboard and Kiali both work with external proxies.

Description

Add a helm chart option similar to frontend.skipLogin or just detect that there's a token and skip the login page.

Acceptance criteria If frontend.skipLoginPage is true, trust the Authorization header and do not present a login screen.

Additional context Add any other context or screenshots about the feature request here.

mlbiam avatar Sep 28 '23 13:09 mlbiam

Thanks @mlbiam . Although I agree that skipping the login page is the ideal behavior here in the situation described, I'm unsure why you're seeing the login page if the Authorization header is already populated with a valid (ie. accepted by the API server) token. Kubeapps isn't itself aware of the authentication, it (the dashboard) simply tries a request and relies on an Authorization header (often set by the proxy - whether it's oauth2-proxy or openunison?).

Ah right, as you say, because you've got authProxy.enabled set to false, the chart is assuming that you want to use token authentication. Have you tried:

authProxy:
  enabled: true
  external: true

This tells Kubeapps that you are using an auth proxy, but an external one (not the one bundled with the chart).

absoludity avatar Oct 06 '23 04:10 absoludity

Hi @mlbiam, did you finally test the above-mentioned options?

antgamdia avatar Jan 09 '24 12:01 antgamdia

i haven't, though i still have it setup. i'll also ping my customer that was planning to roll this out and see if they've tried it.

I'm being lazy, but does the reverse proxy integration support impersonation header passthrough along with passing the token along? (ie like the way the kubernetes dashboard will pass impersonation headers when present?). I'm doing a session on securing dashboards in Kubernetes next month at civo navigate and want to include kubeapps.

Thanks

mlbiam avatar Jan 09 '24 14:01 mlbiam

Thanks for the update! I'd say, from memory, we have a frontend.proxypassAccessTokenAsBearer param which allows passing the raw access_token as the Bearer when talking to the k8s api server.
Have a look at the frontend.* config our chart hase, maybe they can be useful for your use case: https://github.com/bitnami/charts/tree/main/bitnami/kubeapps#frontend-parameters

Look luck in your Securing Dashboards in a Command Line World talk! Happy to see kubeapps featured there :)

antgamdia avatar Jan 09 '24 15:01 antgamdia

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 17 '24 08:03 stale[bot]