Kubernetes Authentication, Authorization, and Automation
Kubernetes authentication is an important first step after deploying your cluster. When designing your authentication strategy, take into account:
- Authentication Method – LDAP or Active Directory / SAML2 / OpenID Connect / GitHub
- Minimize Additional Infrastructure – The more you deploy, the more that needs to be secured and managed
- Security – Use short lived tokens, integrate groups for RBAC and support session revocation
- Configuration Integration – Use generic upstream kubectl, the fewer components deployed the less that needs to be maintained and secured
The Orchestra Login Portal, built on OpenUnison supports all of these goals. Orchestra usually deploys within minutes. There’s no third party database needed. Orchestra uses Kubernetes Custom Resources to store all session and user data. Individual sessions are easily revoked by deleting objects via kubectl. Finally, Orchestra provides easy integration with both kubectl and the dashboard by creating a single entry point for both.
Compare Kubernetes Authentication Solutions
|Feature||Orchestra Login Portal||Dex||Keycloak|
|Dashboard Integration||Built-In||Requires Additional Reverse Proxy (ie OAuth2 Proxy)||Requires Additional Reverse Proxy (ie OAuth2 Proxy)|
|.kube/config Generation||One-click setup||No, requires separate application||No, requires separate application|
|Integrate short lived tokens to dashboard and kubectl||Dashboard integration automatically refreshes tokens||Dependent on Reverse Proxy||Dependent on Reverse Proxy|
|Relational Database Required||No, all objects stored as Custom Resources||No, all objects stored in API Server||Yes (comes with H2)|
|Revoke Single User's Session||Yes||No, must revoke all sessions at once||Yes|
|Trusting client certificates||Yes, when generating .kube/config||No, requires separate application||No, requires separate application|
|Supports "Logout"||Yes, ends access to Kubernetes both via the kubectl and the Dashboard||No, can not end a session early||Yes for kubectl, depends on dashboard reverse proxy implementation|
|Customizations||XML + Java||YAML + Go||GUI + Java|
|Automated Operator||Yes - Automate certificate management and rollover||Yes||Alpha|
|Supported Authentication Endpoints||LDAP/Active Directory,OpenID Connect, SAML2, GitHub,custom||LDAP/Active Directory,OpenID Connect, SAML2, GitHub||LDAP/Active Directory,OpenID Connect, SAML2|
|Multi-Factor Authentication Support||TOTP (Google Authenticator), FIDO U2F, Symantec VIP, DUO, One-Time-Passworod, Certificate/X509/Smart Card||None||TOTP|
How Do You Want To Authenticate to Kubernetes?
Beyond Authentication – Authorization and Automation
After authenticating users, the next step is authorizing access to clusters and automating the onboarding of users and namespaces. At KubeCon NA 2017 our CTO discussed how authorization and compliance work in Kubernetes.
Tremolo Security’s Orchestra Portal builds on the login portal and adds
- Self service creation of new namespaces
- Self service access requests for namespace roles
- Usage and compliance reports
- Workflows that can implement privileged access and zero trust privileges
With Kubernetes you have automated your application lifecycle, why manually add users to role bindings? Just as with the login portal, Orchestra’s automation portal comes in three flavors, depending on how you want to authenticate to your cluster:
Learn More About Tremolo Security and Kubernetes
You’ve seen how Tremolo Security can add enterprise authentication and user management to your Kubernetes cluster, so what’s next? The links below will take you to the Github project for our Kubernetes Identity Manager, videos and exmple guides to get you started. Feel free to open issues on Github or reach out on twitter to learn more about how Tremolo Security can help you secure your Kubernetes cluster.