This section covers the Authentication & Authorization features of Application Manager, which collectively we will refer to as Auth herein.
Application Manager utilizes a number of resources to facilitate the Auth story, which are outlined below:
With these resources you have an immense level of freedom to define the Authentication and Authorization posture that best suits your needs. Whether that be enabling Authentication, but not enabling Authorization, or enabling both but having very permissive Roles and RoleBindings to allow access to some common Namespaces, or a very restrictive set of fine grained Roles and RoleBindings tightly regulate access to your cluster’s resources.
The auth features of Application Manager are specified under the auth key in the main configuration file. Below is an example auth configuration block:
auth: authentication: oidc authorization: rbac # OpenID Connect (OIDC) configuration (only active if picked in # authentication). On the provider side, the callback should be # registered at path '/api/auth/login/oidc'. oidc: clientId: client-id-from-provider secret: secret-from-provider discoveryUri: https://accounts.google.com/.well-known/openid-configuration # ApiToken-based authentication apiTokens: # Application-picked secret for generating a token digests secretKey: application-secret # Role-based authorization rbac: # Optional set of admin users for bootstrapping adminUsers: - email@example.com