• Stars
    star
    164
  • Rank 230,032 (Top 5 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 7 years ago
  • Updated about 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

GitHub token authentication for Kubernetes

Kubernetes Webhook Token Authenticator for GitHub

This project implements a Kubernetes Webhook Token Authenticator for authenticating users using GitHub Personal Access Token.

When user tries to authenticate to the Kubernetes API, the Kubernetes apiserver calls this authenticator to verify the bearer token. This authenticator checks if the access token is valid using GitHub API and returns the GitHub username to apiserver.

You should configure Kubernetes apiserver with an authorization plugin to control what Kubernetes resources can a user access.

How to use

First of all, you need to run the authenticator using the example DaemonSet manifest. It is recommended to run the authenticator on your Kubernetes master using host networking so that the apiserver can access the authenticator through the loopback interface.

kubectl create -f https://raw.githubusercontent.com/oursky/kubernetes-github-authn/master/manifests/github-authn.yaml

Confirm that the authenticator is running:

kubectl get ds -l k8s-app=github-authn -n kube-system

Next, configure apiserver to verify bearer token using this authenticator. There are two configuration options you need to set:

  • --authentication-token-webhook-config-file a kubeconfig file describing how to access the remote webhook service.
  • --authentication-token-webhook-cache-ttl how long to cache authentication decisions. Defaults to two minutes.

Check the example config file and save this file in the Kubernetes master. Set the path to this config file with configurion option above.

It is recommended you read the Kubernetes documentation for how to configure webhook token authentication.

Authorization with role-based access control (RBAC)

Kubernetes support multiple authorization plugins and we recommend you choose role-based access control (RBAC) because permission settings can be set using the Kubernetes API. Permission is granted on which roles that the authenticated user has.

Suppose that we have a user called johndoe and this user has administrative access to the project project1. First of all, we need to define a new role called admin which can control all resources.

kubectl create -f https://raw.githubusercontent.com/oursky/kubernetes-github-authn/master/manifests/admin-cluster-role.yaml

We need to assign johndoe to this admin role so that he has control to all the resources in the namespace project1.

kubectl create namespace project1
kubectl create rolebinding johndoe-admin-binding --clusterrole=admin --user=johndoe --namespace=project1

If we want to assign johndoe to the admin role in all namespaces instead of just the project1 namespace, create a ClusterRoleBinding instead of a RoleBinding:

kubectl create clusterrolebinding johndoe-admin-binding --clusterrole=admin --user=johndoe

Read the Kubernetes documentation to learn more about how to configure your apiserver to use RBAC.

More Repositories

1

discourse-k8s

discourse deploy on kubernetes sample files
75
star
2

iphone-x-mockup

Instant iPhone X Mockup
CSS
74
star
3

travis-ios-script

Reusable iOS script for Travis CI with Slack, Testflight, HockeyApp support
C
40
star
4

aws-site-manager

Very simple CLI to create S3 / Cloudfront Static Website
Go
27
star
5

Redux

Swift implementation of Redux
Swift
16
star
6

parse-server-sendgrid-adapter

Simple sendgrid adapter for parse server
JavaScript
15
star
7

doorlock

Sesame Open door θŠιΊ»ι–‹ι–€
JavaScript
14
star
8

slides

Slides from Oursky
HTML
10
star
9

pycon2015

Workshop for py3.4 asyncio
Python
9
star
10

react-messageformat

Provide better React apps internationalization
TypeScript
8
star
11

flutter-docker

Dockerfile for building docker image in CI use.
Dockerfile
8
star
12

slack-dsym-bot

Slack-dsym-bot for iOS crash report via Sentry
JavaScript
6
star
13

skeleton

Skeleton and instruction to get start for common Android project
Java
6
star
14

issuesnap

Python Streamlit web tool that aids in writing bug reports, integrated with custom prompts for formatted LLM responses.
Python
5
star
15

arcms

iOS ARKit demo with Skygaer as the cloud store of 3D models
Swift
4
star
16

mockuphone.com

JavaScript
4
star
17

norecaptcha

Python client for the google new No CAPTCHA reCAPTCHA services.
Python
4
star
18

strapi-provider-upload-skygear-asset

JavaScript
3
star
19

stylelint-oursky

JavaScript
3
star
20

devsecops-secret

Secret generator for .env
Shell
3
star
21

smart-bus

Open data for buses & data visulaization
JavaScript
3
star
22

Redux-Project-Template

Swift
2
star
23

react-native-oursky

TypeScript
2
star
24

gitlint-bot

TypeScript
2
star
25

git-travis-change

Small command for checking is a specific path have code change in travis-ci.com build
Shell
2
star
26

eslint-oursky

JavaScript
2
star
27

github-ci-support

Go
2
star
28

dart_cognitive_complexity

Dart
2
star
29

devsecops-ci

Security checkers callable from CI
Python
2
star
30

likedao

TypeScript
1
star
31

Gitlo-Support

Support on Gitlo (http://gitlo.co). Open an issue if you need us :)
1
star
32

logging-python-example

Python
1
star
33

devsecops-github-checker

Python
1
star
34

skygear-v1-cloud-helm

Smarty
1
star
35

lgbtq-glassdoor

LGBTQ Glassdoor aims to help LGBTQ individuals share and find supportive work environments.
Vue
1
star
36

oursky-web

HTML
1
star
37

readings

πŸ“˜ Oursky Readings
Ruby
1
star
38

throwaway-scripts

Throwaway scripts that don't really want to throw away...
Shell
1
star
39

gesprek-guide

1
star
40

git-gitlab-change

Shell
1
star
41

pageship

Go
1
star
42

prollama

A simple local AI chatbot interface
Python
1
star