This tutorial describes how you can activate authentication on your cluster with SysEleven Login (powered by Keycloak) and how to connect it to an external user management system.
To get access to a SysEleven Login realm, please contact us. We will then provision a realm for you and provide you with admin credentials to configure it.
SysEleven Login allows you to manage users and groups that should have access to SysEleven services as well as your Kubernetes clusters yourself. You can also set up user federation to external identity providers like LDAP, Active Directory or any OpenID Connect provider. For that you are provided with your own realm that only contains your users and settings.
To configure your realm go to the SysEleven Realm Admin Login https://login.syseleven.de/auth/admin/{REALM-NAME}/console and log in with the provided admin credentials.
You can find a detailed documentation on managing users, groups, user federation and identity providers in the official Keycloak documentation.
SysEleven Admin User Login: https://login.syseleven.de/auth/admin/{REALM-NAME}/console
SysEleven User Realm Login: https://login.syseleven.de/auth/realms/{REALM-NAME}/account
SysEleven OpenID Realm Configuration https://login.syseleven.de/auth/realms/{REALM-NAME}/.well-known/openid-configuration
By default it is only possible to authenticate to a cluster with the central admin token. In order to use SysEleven Login via OpenID Connect, you have to go the cluster detail page and activate it in the Auth tab.
In the configuration dialog choose "SysEleven Login" and provide the realm that you want to use for authentication. This is already pre-filled with the realm that you used to log into the MetaKube dashboard, but also can be changed to another realm.
Once you configured cluster authentication with OpenID Connect, you can download a specialized KubeConfig with your OpenID settings from the cluster detail page. If you haven't used this KubeConfig fo a login (see below), you can safely share this with your colleagues since it does not contain any sensitive, personalized information yet and without logging in, you can not authenticate at the cluster.
Once you downloaded the OpenID KubeConfig, you can use it to log into your cluster. The easiest way to do this is with kubelogin.
Follow the installation instructions and then run either
kubeloginor
kubectl oidc-loginThis will open a browser window where you can login and then write an OpenID access and refresh token into your KubeConfig. The access token will be refreshed automatically by kubectl as long as the refresh token is still valid.
When you authenticate at a cluster with OpenID Connect, you don't have any permissions for any operations in the cluster by default.
In order to give a user or a group of users permissions in the cluster, you have to authenticate with the central admin token and then add either a ClusterRoleBinding or a namespace bound RoleBinding that maps the user or group to a ClusterRole or Role which specifies the permission the user or group should have.
The easiest way to give permissions to a user or group is to use the builtin RBAC support in the MetaKube dashboard. In the authorization tab of the cluster detail page, you can grant view, edit or admin permissions to individual users. You can grant these permissions for the whole cluster or limit it to a single namespace. In the background these are translated to ClusterRoleBindings and RoleBindings.
For the e-mail address or group name you have to use the same information which is stored in SysEleven Login.
If the default roles are not enough for your use case and you need more fine-grained control, you can manage the ClusterRoleBindings and RoleBindings manually. Remember, you need to use the same e-mail addresses or group name as in SysEleven Login here as well. Using the simple web interface and manually managed roles at the same time is also possible.
The following ClusterRoleBinding example would map the cluster-admin ClusterRole to a specific user and all users in the SysEleven Login Group "kubernetes". The cluster-admin ClusterRole allows to perform all operations on all resources in the whole cluster.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: oidc-cluster-admins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: kubernetes
- apiGroup: rbac.authorization.k8s.io
kind: User
name: user@xample.comKubernetes already provides some predefined ClusterRoles:
You can of course also create your own ClusterRoles or Roles. For more information see Using RBAC Authorization. If you manage a lot of roles manually, rbac-manager can make it easier.