Liberty Bell implements a Kubernetes Webhook Token Authenticator for authenticating users using GitHub or Gitlab Personal Access Tokens. Authenticator also configures groups of authenticated user appropriately. This allows cluster administrator to setup RBAC rules based on membership in groups.
You can deploy the liberty-bell using the example DaemonSet manifest. It is recommended to run the authenticator on your Kubernetes master using host networking so that the apiserver can access the authenticator through the loopback interface.
kubectl create -f https://raw.githubusercontent.com/jakolehm/liberty-bell/master/manifests/daemonset.yaml
Next, you need to configure Kubernetese apiserver to verify bearer token using liberty-bell.
See Kubernetes documentation how to pass configuration for apiserver.
If you are using Kontena Pharos, configuration can be passed via cluster.yml
---
kind: Config
apiVersion: v1
clusters:
- name: liberty-bell
cluster:
server: http://localhost:9393/github
users:
- name: kube-apiserver
user: {}
contexts:
- name: webhook
context:
cluster: liberty-bell
user: kube-apiserver
current-context: webhookKubernetes groups are constructed as <organization>/<team>. For example if Github user belongs to testers team at acme organization then group name would be acme/testers in Kubernetes.
---
kind: Config
apiVersion: v1
clusters:
- name: liberty-bell
cluster:
server: http://localhost:9393/gitlab
users:
- name: kube-apiserver
user: {}
contexts:
- name: webhook
context:
cluster: liberty-bell
user: kube-apiserver
current-context: webhookKubernetes groups are constructed as <group>/<subgroup>.
kubectl create namespace project1
kubectl create rolebinding johndoe-admin-binding --clusterrole=clusteradmin --user=johndoe --namespace=project1
kubectl create namespace project1
kubectl create rolebinding testers-admin-binding --clusterrole=clusteradmin --group=acme/testers --namespace=project1
Bug reports and pull requests are welcome on GitHub at https://github.com/jakolehm/liberty-bell