Liberty Bell - Kubernetes Token Authenticator
Liberty Bell implements a Kubernetes Webhook Token Authenticator for authenticating users using GitHub or Gitlab Personal Access Tokens. Authenticator also configures groups of authenticated user appropriately. This allows cluster administrator to setup RBAC rules based on membership in groups.
Usage
You can deploy the liberty-bell
using the example DaemonSet manifest. It is recommended to run the authenticator on your Kubernetes master using host networking so that the apiserver can access the authenticator through the loopback interface.
kubectl create -f https://raw.githubusercontent.com/jakolehm/liberty-bell/master/manifests/daemonset.yaml
Next, you need to configure Kubernetese apiserver to verify bearer token using liberty-bell
.
See Kubernetes documentation how to pass configuration for apiserver.
If you are using Kontena Pharos, configuration can be passed via cluster.yml
Github Configuration
---
kind: Config
apiVersion: v1
clusters:
- name: liberty-bell
cluster:
server: http://localhost:9393/github
users:
- name: kube-apiserver
user: {}
contexts:
- name: webhook
context:
cluster: liberty-bell
user: kube-apiserver
current-context: webhook
Group Mapping
Kubernetes groups are constructed as <organization>/<team>
. For example if Github user belongs to testers
team at acme
organization then group name would be acme/testers
in Kubernetes.
Gitlab Configuration
---
kind: Config
apiVersion: v1
clusters:
- name: liberty-bell
cluster:
server: http://localhost:9393/gitlab
users:
- name: kube-apiserver
user: {}
contexts:
- name: webhook
context:
cluster: liberty-bell
user: kube-apiserver
current-context: webhook
Group Mapping
Kubernetes groups are constructed as <group>/<subgroup>
.
Using with RBAC
Grant permissions for a user
kubectl create namespace project1
kubectl create rolebinding johndoe-admin-binding --clusterrole=clusteradmin --user=johndoe --namespace=project1
Grant permissions for a group
kubectl create namespace project1
kubectl create rolebinding testers-admin-binding --clusterrole=clusteradmin --group=acme/testers --namespace=project1
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/jakolehm/liberty-bell