As Konvoy is based on Kubernetes, it uses Kubernetes security mechanisms. This includes role-based access control (RBAC) for determining which resources a user can access. An OpenID Connect interface identifies users for use in RBAC. This supports login using various connectors, including GitHub, Google, and LDAP.
The cluster operator initially accesses Konvoy using the username and password provided after running
konvoy up or, for a running cluster,
konvoy get ops-portal. To use these credentials, select
This same username and password provides access to the Ops Portal, including various dashboards for management of the cluster. Only these credentials provide access to the Ops Portal.
kubectl to access the Kubernetes cluster:
- Generate a token from the web landing page, by selecting
Generate Kubectl Token.
- Select an identity provider and cluster.
- Many of the backends provide single-sign on (SSO), so you may already be signed in. Otherwise, you will be redirected to your identity provider’s web page to log in.
- After you have logged in, a page will show the commands required to configure
kubectlto access the Konvoy cluster.
- When the token expires, you must repeat the above process to obtain a fresh token.
- When refreshing a token, only the
kubectl config set-credentialscommand needs to be executed with the new token.
Add login connectors
Konvoy uses Dex to provide OpenID Connect single sign-on to the cluster.
Dex can be configured to use multiple connectors, including GitHub, LDAP, and SAML 2.0.
The Dex Connector documentation describes how to configure different connectors.
The configuration can be added as the
values field in the
Examples of tested configurations are described in the [External Providers] section.
When accessing the dashboard at
/ops/portal/kubernetes, the authenticated user’s username and groups are impersonated for all requests. Impersonation applies existing RBAC policies which govern access to the API server (
kubectl) to the dashboard. The operator user has the
cluster-admin role and has full access to all resources exposed by the Kubernetes dashboard. Users which are authenticated by external identity providers have no privileges. External users must be bound to
ClusterRoles by their username or by any groups which they are members of. More information about Kubernetes RBAC can be found in the Kubernetes Documentation.
Addon application security notices
Note: This security notice only applies to Konvoy versions 1.5 and below. In Konvoy 1.6, Helm v2 was removed in favor of Helm v3, which fixed security issues.
Konvoy clusters manage addon applications through a tool called Kubeaddons. Kubeaddons is implemented using Kubernetes CRDs and Controllers.
Kubeaddons use drivers to deploy and manage addons thrugh the controller. The default currently is Helm v2. The server component of Helm v2 is Tiller which architecturally introduces security problems on the clusters its installed.
Helm v2 remains a supported driver. Helm v3 takes over these responsibilities in Konvoy 1.6 or above. Kubeaddons inherits the Helm v2 security issues present in any Tiller installation on the cluster. Take great care with RBAC permissions for users and service accounts on Konvoy clusters. Operators should not provide RBAC permissions to create or manage Addon or ClusterAddon resources as these permissions provide that user with cluster-admin privileges.
Introduction to RBAC
Learn the basics of RBAC…Read More
Access a Konvoy cluster
Access your Konvoy cluster using the operations portal, command line interface, or kubectl…Read More
Install the Credentials Plugin
Install and configure the Konvoy Credentials Plugin.…Read More
Granting Access to Kubernetes and Konvoy Resources
Grant access to Konvoy Ops Portal and Kubernetes resources using RBAC…Read More
OpenID Connect (OIDC) Introduction
An introduction to OpenID Connect (OIDC) Authentication in Kubernetes…Read More
Setting up local users
Manage local users to access your konvoy cluster…Read More
Dex Controller API Reference
Dex Controller API Reference…Read More
External LDAP directory
Connect your Konvoy cluster to an external LDAP directory…Read More
GitHub OAuth App
Connect your Konvoy cluster to a GitHub OAuth App…Read More
Connect to Google Accounts
Connect your Konvoy cluster to Google Accounts…Read More
Connect your Konvoy cluster to an Idp using SAML…Read More
Setup RBAC with Konvoy based Kubernetes clusters
Use RBAC to configure your Konvoy clusters…Read More
Setting up Let's Encrypt certificate
Setting up Let's Encrypt certificate for the cluster ingress…Read More