GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → gyselroth → kube-ldap

gyselroth / kube-ldap

Licence: MIT License
A Webhook Token Authentication plugin for kubernetes to use LDAP as authentication source

Programming Languages

javascript
184084 projects - #8 most used programming language
Dockerfile
14818 projects

Labels

kubernetesldapwebhookkubernetes-clusterldap-authenticationkubernetes-authentication

Projects that are alternatives of or similar to kube-ldap

kube-watch
Simple tool to get webhooks on Kubernetes cluster events
Stars: ✭ 21 (-27.59%)
Mutual labels:  webhook, kubernetes-cluster
cassandra-ldap
LDAP Authenticator for Apache Cassandra
Stars: ✭ 20 (-31.03%)
Mutual labels:  ldap, ldap-authentication
django-windowsauth
Easy integration and deployment of Django projects into Windows Environments
Stars: ✭ 23 (-20.69%)
Mutual labels:  ldap, ldap-authentication
vmam
VLAN Mac-address Authentication Manager
Stars: ✭ 19 (-34.48%)
Mutual labels:  ldap, ldap-authentication
existing-ldap-docker-registry
This is a docker application to run Docker Registry behind an Ngnix in order to obtain an authentication method using a company Active Directory.
Stars: ✭ 29 (+0%)
Mutual labels:  ldap, ldap-authentication
paddle
A library simplifying LDAP usage in Elixir projects
Stars: ✭ 46 (+58.62%)
Mutual labels:  ldap, ldap-authentication
authentication
A framework agnostic authentication library based on PSR standards
Stars: ✭ 19 (-34.48%)
Mutual labels:  ldap, ldap-authentication
iris
Watch on Kubernetes events, filter and send them as standard wehbook to any system
Stars: ✭ 57 (+96.55%)
Mutual labels:  webhook, kubernetes-cluster
rabbitmq-vshovel
RabbitMQ vShovel plugin
Stars: ✭ 26 (-10.34%)
Mutual labels:  webhook
OpenAM
OpenAM is an open access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security.
Stars: ✭ 476 (+1541.38%)
Mutual labels:  ldap
reference-infrastructure-fabric
Production-quality Kubernetes on AWS: the reference infrastructure fabric for building a modern microservices web app.
Stars: ✭ 44 (+51.72%)
Mutual labels:  kubernetes-cluster
lagom-on-kube
This tutorial describes how to bootstrap a production-ready Lagom microservices cluster in a Kubernetes environment.
Stars: ✭ 58 (+100%)
Mutual labels:  kubernetes-cluster
kubeseal-webgui
This is a python based webapp for using Bitnami-Sealed-Secrets in a web-ui.
Stars: ✭ 27 (-6.9%)
Mutual labels:  kubernetes-cluster
SlackWebhooksGithubCrawler
Search for Slack Webhooks token publicly exposed on Github
Stars: ✭ 21 (-27.59%)
Mutual labels:  webhook
werther
An Identity Provider for ORY Hydra over LDAP
Stars: ✭ 103 (+255.17%)
Mutual labels:  ldap
k8s-lemp
LEMP stack in a Kubernetes cluster
Stars: ✭ 74 (+155.17%)
Mutual labels:  kubernetes-cluster
better-discord-notifications
Scripts that send better sonarr/radarr notifications to discord
Stars: ✭ 13 (-55.17%)
Mutual labels:  webhook
quarantine-bot
WhatsApp bot powered by Twilio API to get through the quarantine. Latest COVID19 statistics, world news, inspirational quotes and cat photos.
Stars: ✭ 24 (-17.24%)
Mutual labels:  webhook
gogs-bash
Bash Script for Interacting with the GOGS API
Stars: ✭ 31 (+6.9%)
Mutual labels:  webhook
admission-webhook-example-with-openfaas
Use OpenFaaS functions as Kubernetes Validating Admission Webhook
Stars: ✭ 24 (-17.24%)
Mutual labels:  kubernetes-cluster
View All Similar Projects ➔

kube-ldap

Build Status Coverage Status License: MIT

A Webhook Token Authentication plugin for kubernetes, written in javascript, to use LDAP as authentication source.

Description

The kube-ldap webhook token authentication plugin can be used to integrate username/password authentication via LDAP for your kubernetes cluster. It exposes two API endpoints:

  • /auth
    • HTTP basic authenticated requests to this endpoint result in a JSON Web Token, signed by the webhook, including the username and uid of the authenticated user.
    • The issued token can be used for authenticating to kubernetes.
  • /token
    • Is called by kubernetes (see TokenReview) to verify the token used for authentication.
    • Verifies the integrity of the JWT (using the signature) and returns a TokenReview response containing the username, uid, group memberships and extra attributes (if configured) of the authenticated user.

Deployment

The recommended way to deploy kube-ldap is deplyoing kube-ldap in kubernetes itself using the gyselroth/kube-ldap docker image.

Example YAML for kubernetes (secrets, deployment including tls termination and service):

apiVersion: v1
data:
  key: #base64 encoded jwt key (see "Configuration" in README)
kind: Secret
metadata:
  name: kube-ldap-jwt-key
  namespace: kube-system
type: Opaque
---
apiVersion: v1
data:
  binddn: #base64 encoded bind dn (see "Configuration" in README)
  bindpw: #base64 encoded bind password (see "Configuration" in README)
kind: Secret
metadata:
  name: kube-ldap-ldap-bind-credentials
  namespace: kube-system
type: Opaque
---
apiVersion: v1
data:
  cert.pem: #base64 encoded certificate (pem)
  key.pem: #base64 encoded private key (pem)
kind: Secret
metadata:
  name: kube-ldap-tls
  namespace: kube-system
type: Opaque
---
apiVersion: apps/v1beta2
kind: Deployment
metadata:
  labels:
    k8s-app: kube-ldap
  name: kube-ldap
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: kube-ldap
  template:
    metadata:
      labels:
        k8s-app: kube-ldap
    spec:
      volumes:
      - name: kube-ldap-tls
        secret:
          secretName: kube-ldap-tls
      containers:
      - env:
        - name: LDAP_URI
          value: #ldap uri (see "Configuration" in README)
        - name: LDAP_BINDDN
          valueFrom:
            secretKeyRef:
              name: kube-ldap-ldap-bind-credentials
              key: binddn
        - name: LDAP_BINDPW
          valueFrom:
            secretKeyRef:
              name: kube-ldap-ldap-bind-credentials
              key: bindpw
        - name: LDAP_BASEDN
          value: #ldap base dn (see "Configuration" in README)
        - name: LDAP_FILTER
          value: #ldap filter(see "Configuration" in README)
        - name: LOGLEVEL
          value: info
        - name: JWT_KEY
          valueFrom:
            secretKeyRef:
              name: kube-ldap-jwt-key
              key: key
        - name: JWT_TOKEN_LIFETIME
          value: #jwt token lifetime (see "Configuration" in README)
        image: gyselroth/kube-ldap:latest # Better use fixed version tag here since 'latest' can point to new major releases with breaking changes
        volumeMounts:
          - name: kube-ldap-tls
            mountPath: "/etc/ssl/kube-ldap"
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
        name: kube-ldap
        ports:
        - containerPort: 8081
---
apiVersion: v1
kind: Service
metadata:
  labels:
    k8s-app: kube-ldap
  name: kube-ldap
  namespace: kube-system
spec:
  ports:
  - port: 8081
    protocol: TCP
    targetPort: 8081
  selector:
    k8s-app: kube-ldap
  type: ClusterIP

Configuration

kube-ldap

kube-ldap itself can be configured via environment variables.

List of configurable values:

Setting Description Environment Variable Default Value
config.port HTTP port to listen PORT 8081 (8080 if TLS is disabled)
config.loglevel Loglevel for winston logger. CAUTION: debug loglevel may log sensitive parameters like user passwords LOGLEVEL info
config.tls.enabled Enable TLS (HTTPS). DO NOT DISABLE IN PRODUCTION UNLESS YOU HAVE A TLS REVERSE PROXY IN PLACE TLS_ENABLED ("true" or "false") true
config.tls.cert Path to certificate (pem) to use for TLS (HTTPS) TLS_CERT_PATH /etc/ssl/kube-ldap/cert.pem
config.tls.key Path to private key (pem) to use for TLS (HTTPS) TLS_KEY_PATH /etc/ssl/kube-ldap/key.pem
config.tls.ca Optional: Path to ca certificate (pem) to use for TLS (HTTPS) TLS_CA_PATH none
config.ldap.uri URI of LDAP server LDAP_URI ldap://ldap.example.com
config.ldap.binddn DN of LDAP bind user connection LDAP_BINDDN uid=bind,dc=example,dc=com
config.ldap.bindpw Password of LDAP bind user LDAP_BINDPW secret
config.ldap.baseDn Base DN for LDAP search LDAP_BASEDN dc=example,dc=com
config.ldap.filter Filter for LDAP search LDAP_FILTER (uid=%s)
config.ldap.timeout Timeout for LDAP connections & operations (in seconds) LDAP_TIMEOUT 0 (infinite for operations, OS default for connections)
config.mapping.username Name of ldap attribute to be used as username in kubernetes TokenReview MAPPING_USERNAME uid
config.mapping.uid Name of ldap attribute to be used as uid in kubernetes TokenReview MAPPING_UID uid
config.mapping.groups Name of ldap attribute to be used for groups in kubernetes TokenReview MAPPING_GROUPS memberOf
config.mapping.extraFields Comma separated list of additional ldap attributes to be used for extra in kubernetes TokenReview MAPPING_EXTRAFIELDS []
config.mapping.username Name of Ldap attribute to be used as username in kubernetes TokenReview MAPPING_USERNAME uid
config.jwt.key Key for signing the JWT. DO NOT USE THE DEFAULT VALUE IN PRODUCTION JWT_KEY secret
config.jwt.tokenLifetime Seconds until token a expires JWT_TOKEN_LIFETIME 28800
config.prometheus.username Username for prometheus exporter basic auth (use empty string to disable basic auth) PROMETHEUS_USERNAME prometheus
config.prometheus.password Password for prometheus exporter basic auth (use empty string to disable basic auth) PROMETHEUS_PASSWORD secret
config.prometheus.nodejsProbeInterval Probe interval for nodejs metrics in milliseconds PROMETHEUS_NODEJS_PROBE_INTERVAL 10000

kubernetes

Configure your kubernetes apiserver to use the kube-ldap webhook for authentication using the following configuration file.

# clusters refers to the remote service.
clusters:
  - name: kube-ldap
    cluster:
      server: https://your-kube-ldap-url/token

# users refers to the API server's webhook configuration.
users:
  - name: apiserver

# kubeconfig files require a context. Provide one for the API server.
current-context: webhook
contexts:
- context:
    cluster: kube-ldap
    user: apiserver
  name: webhook

kubectl

You can either use kube-ldap-client-go-exec-plugin, a kubectl plugin (client-go credential plugin) doing the authentication for you, or you can do it manually.

To configure kubectl for manual authentication initially:

TOKEN=$(curl https://your-kube-ldap-url/auth -u your-username)
kubectl config set-cluster your-cluster --server=https://your-apiserver-url [...]
kubectl config set-credentials your-cluster-ldap --token="$TOKEN"
kubectl config set-context your-cluster --cluster=your-cluster --user=your-cluster-ldap

To refresh your token after expiration:

TOKEN=$(curl https://your-kube-ldap-url/auth -u your-username)
kubectl config set-credentials your-cluster-ldap --token="$TOKEN"

Development

Requirements

  • nodejs
  • yarn

Development Server

During development an auto-reloading development server (using babel watch) can be used.

Remember to set the environment variables required to configure kube-ldap. E.g.:

LDAP_URI=ldap://ldap.example.local TLS_ENABLED=false yarn start

Test

To run automated tests using jest you can use yarn:

yarn test

Build

kube-ldap can be built via yarn, to get native nodejs code, or via docker (which uses yarn), to get a docker image.

Either way the build process lints the code (including flow type annotations) before building. When building via docker the process also includes running the automated tests. If any of these steps fail, the build will fail too.

yarn

When using yarn, it places the build output in ./build/ directory.

yarn build

docker

When using docker, the ./Dockerfile is used to build an image.

docker -t kube-ldap build .
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].