Kubernetes Webhook Token Authenticator for GitHub

This project implements a Kubernetes Webhook Token Authenticator for authenticating users using GitHub Personal Access Token.

When user tries to authenticate to the Kubernetes API, the Kubernetes apiserver calls this authenticator to verify the bearer token. This authenticator checks if the access token is valid using GitHub API and returns the GitHub username to apiserver.

You should configure Kubernetes apiserver with an authorization plugin to control what Kubernetes resources can a user access.

How to use

First of all, you need to run the authenticator using the example DaemonSet manifest. It is recommended to run the authenticator on your Kubernetes master using host networking so that the apiserver can access the authenticator through the loopback interface.

kubectl create -f https://raw.githubusercontent.com/oursky/kubernetes-github-authn/master/manifests/github-authn.yaml

Confirm that the authenticator is running:

kubectl get ds -l k8s-app=github-authn -n kube-system

Next, configure apiserver to verify bearer token using this authenticator. There are two configuration options you need to set:

• --authentication-token-webhook-config-file a kubeconfig file describing how to access the remote webhook service.
• --authentication-token-webhook-cache-ttl how long to cache authentication decisions. Defaults to two minutes.

Check the example config file and save this file in the Kubernetes master. Set the path to this config file with configurion option above.

It is recommended you read the Kubernetes documentation for how to configure webhook token authentication.

Authorization with role-based access control (RBAC)

Kubernetes support multiple authorization plugins and we recommend you choose role-based access control (RBAC) because permission settings can be set using the Kubernetes API. Permission is granted on which roles that the authenticated user has.

Suppose that we have a user called johndoe and this user has administrative access to the project project1. First of all, we need to define a new role called admin which can control all resources.

kubectl create -f https://raw.githubusercontent.com/oursky/kubernetes-github-authn/master/manifests/admin-cluster-role.yaml

We need to assign johndoe to this admin role so that he has control to all the resources in the namespace project1.

kubectl create namespace project1
kubectl create rolebinding johndoe-admin-binding --clusterrole=admin --user=johndoe --namespace=project1

If we want to assign johndoe to the admin role in all namespaces instead of just the project1 namespace, create a ClusterRoleBinding instead of a RoleBinding:

kubectl create clusterrolebinding johndoe-admin-binding --clusterrole=admin --user=johndoe

Read the Kubernetes documentation to learn more about how to configure your apiserver to use RBAC.