Skip to content

A kubernetes controller enabling OIDC authentication and RBAC authorisation proxies to target workloads.

License

Notifications You must be signed in to change notification settings

gardener/oidc-apps-controller

Repository files navigation

oidc-apps-controller

REUSE status CI Build status Go Report Card License: Apache-2.0 Release Go Reference

Usage

This controller enhances target deployments and statefulsets with side-cars containers for performing oidc authentications and k8s rbac authorization for incoming http requests.

Usually applications such asprometheus do not offer any security mechanisms and delegate such responsibilities to cluster owners. This controller aims at providing a solution for bringing authentication (oauth2-proxy) and authorization (kube-rbac-proxy) layers in front of the targeted workloads, simplifying required configurations in a consistent way.

Targets for enhancement are identified by using labels and/or namespaces selectors. For example

# OIDC Apps Extension Configuration for a k8s cluster
configuration:
  oidcProviderConfig:
    scope: "openid"  # The default OIDC scope.
    clientId: "nginx"  # Client identifier in the oidc provider configuration.
    oidcIssuerUrl: "https://oidc.provider.com"  # OIDC issuer
  domainName: "company.org" # Cluster wide domain, shared by all enhanced targets

# All deployments in the cluster with app=nginx label are enhanced by the oidc-app-controller
targets:
  - name: nginx
    labelSelector: # matching labels for the deployments
      matchLabels:
        app: nginx
    targetPort: http # upstream port of the targeted container
    targetProtocol: http # upstream protocol
    ingress:
      create: true
      tlsSecretRef:
        name: "ingress-wildcard-tls"

image

External dependencies:

Feedback and Support

Feedback and contributions are always welcome. Please report bugs or suggestions as GitHub issues or join our Slack channel #gardener (please invite yourself to the Kubernetes workspace here).

Learn more

Please find further resources about out project here:

About

A kubernetes controller enabling OIDC authentication and RBAC authorisation proxies to target workloads.

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published