Access Control

This section covers the Authentication & Authorization features of Application Manager, which collectively we will refer to as Auth herein.

Introduction

Application Manager utilizes a number of resources to facilitate the Auth story, which are outlined below:

• Authentication
  • OpenID Connect (OIDC)
  • ApiTokens
• Authorization
  • Role Based Access Controls (RBAC)

With these resources you have an immense level of freedom to define the Authentication and Authorzation posture that best suits your needs. Whether that be enabling Authentication, but not enabling Authorization, or enabling both but having very permissive Roles and RoleBindings to allow access to some common Namespaces, or a very restrictive set of fine grained Roles and RoleBindings tightly regulate access to your cluster’s resources.

The auth features of Application Manager are specified under the auth key in the main configuration file. Below is an example auth configuration block:

auth:
  authentication: oidc
  authorization: rbac

  # OpenID Connect (OIDC) configuration (only active if picked in
  # authentication). On the provider side, the callback should be
  # registered at path '/api/auth/login/oidc'.
  oidc:
    clientId: client-id-from-provider
    secret: secret-from-provider
    discoveryUri: https://accounts.google.com/.well-known/openid-configuration

  # ApiToken-based authentication
  apiTokens:
      # Application-picked secret for generating a token digests
      secretKey: application-secret

  # Role-based authorization
  rbac:
    # Optional set of admin users for bootstrapping
    adminUsers:
    - user@email.com