Kommander comes with a pre-configured authentication Dex identity broker and provider.
The Kommander dashboard admin credentials are stored as a secret. They never leave the boundary of the Kommander cluster and are never shared to any other cluster.
The Dex service issues an OIDC ID token on successful user authentication. Other platform services use the ID token as an authentication proof. User identity to the Kubernetes API server is provided by the
kube-oidc-proxy platform service that reads the identity from an ID token. Web requests to Kommander dashboard access are authenticated by the traefik forward auth platform service.
A user identity is shared across a Kommander cluster and all other attached clusters.
Kommander attached clusters
A newly attached cluster has federated
traefik-forward-auth platform services. These platform services are configured to accept Kommander cluster Dex issued ID tokens.
traefik-forward-auth is used as a Traefik Ingress authenticator, it checks if the user identity was issued by the Kommander cluster Dex service. An anonymous user is redirected to the Kommander cluster Dex service to authenticate and confirm their identity.
Never enter your own credentials on any of the attached clusters. On the Kommander cluster use the static admin credentials or an external identity provider (IDP).
There is no centralized authorization component in Kommander. Each component and service makes its own authorization decisions based on user identity.