Cloud Native

Kubernetes Impersonation, DUO, Okta, and AzureAD in OpenUnison 1.0.18

April 21, 2020


Marc Boorshtein


  • Kubernetes impersonation support - access managed Kubernetes with enterprise credentials and no plugins!
  • Kubernetes impersonation support - Use the dashboard securely on managed clusters
  • Prometheus metrics support - Prometheus metrics authenticated using Kubernetes service accounts
  • Okta - Provision users and groups via the Okta API from OpenUnison workflows
  • AzureAD - Provision users, guests and groups via the Microsoft Graph API from OpenUnison workflows
  • DUO Login - Now supported by OpenUnison
  • Zero Known Vulnerabilities - integration to track dependencies

OpenUnison 1.0.18

Today we’re proud to announce the availability of OpenUnison 1.0.18.  This release is one of our largest feature releases yet and the best part is many of the new features are already in production with existing customers and users!  Most of the features in this release were driven by customer demand.  Let's go through them!


Kubernetes Logo transparent PNG - StickPNG

We already have one of the most comprehensive solutions for integrating authentication and authorization into your clusters via OpenID Connect, but what about your managed clusters like EKS, AKS and GKE?  These technologies won’t let you update their configuration for OpenID Connect integration.  With OpenUnison 1.0.18, and all of the Orchestra login portal implementations on GitHub, you can now integrate your enterprise’s authentication and authorization into these clusters too using impersonation!  Simply deploy one of the Orchestra portals into your cluster and integrate with your identity provider of choice (LDAP/Active Directory, SAML2, OpenID Connect, GitHub) and you’ll be able to access kubectl and the dashboard with the same credentials as you do your on-premises clusters!  No more mapping user credentials to cloud systems and no need for kubectl plugins!

To get this working, we also contributed to the 2.0 Kubernetes dashboard to support impersonation as well as the Java client SDK to support OpenID Connect.  We’re proud that not only are our own products open source, but that we donate to the larger community as well!

Prometheus software logo.svg

Once you’ve deployed OpenUnison, you want to make sure it stays available and that you have a handle on how much it’s being used.  Since it’s part of your security program, you don’t want to expose metrics data anonymously.  To that end, we added a Prometheus endpoint to OpenUnison and protect it requiring an authorized Kubernetes service account verified using the TokenReview api.  This way you can get detailed usage data from OpenUnison securely.

Finally, we updated our deployment mechanism for Kubernetes moving to Helm 3.0 charts.  We have resisted using Helm in the past due to its dependency on Tiller.  With that dependency gone, we felt the time was right to create charts for easier management and better integration with existing cluster management tools.  If you don’t use Helm for package management, that’s OK too!  Our charts can be used to generate static manifests.  Once deployed, our operator will look for changes in openunison’s configuration and update accordingly.


In this release we’re adding support for provisioning to both AzureAD and Okta.  For Okta, we’re able to provision users and groups via their API just as if using a database or active directory.  We track what attributes are created/changed/deleted and can assign group membership based on business approvals.  We can do the same for AzureAD, with the addition of being able to invite new guests directly from a workflow adding a further layer of automation.  This adds a powerful governance and automation layer to these services opening the door for onboarding, offboarding and access recertification using OpenUnison’s light-weight automation.

IDPInitiated sign-on with Azure AD - The new control plane - Medium

In addition to the new provisioning targets, we also added support for verifying JSON Web Tokens directly via the OAuth2 discovery endpoint specification making it easier to integrate our identity APIs into existing cloud native environments.

Finally, we added support for DUO authentication as an add-on in 1.0.17. We integrated it directly into our source base for 1.0.18 as a first class option for authentication!

Security Results

We’ve talked about how we already make sure to keep our libraries up to date with each release and how we update our containers whenever a dependency with a known CVE is patched.  Starting with 1.0.18 we’ve integrated into our development process with the goal of getting not only our direct dependencies patched, but also the dependencies of dependencies patched.  We were able to do it using both our integration with’s service, but also our extensive testing process we use for each release.  To get to zero known vulnerabilities, we had to override versions of popular libraries needed by the libraries we reference directly.  We couldn’t do that without being confident that doing so wouldn’t break OpenUnison’s functionality.  The combination of knowing which libraries have known issues and the ability to integrate patched versions confidently is pretty amazing for commercial software and we’re proud we’re able to accomplish it!

Bringing it all together

This is one of our biggest feature releases to date!  Take a look at our solutions pages to see how Tremolo Security can help and stay turned for tutorials and blog posts in the coming weeks about how you can use these great features in your project!

Related Posts