Authentication and authorization architecture

Authentication

Kommander is part of a Konvoy cluster installation. Konvoy comes with a pre-configured authentication Dex identity broker and provider.

IMPORTANT: Kubernetes, Konvoy, and Dex do not store any user identities. The Konvoy installation comes with default admin static credentials. These credentials should only be used to access the operations portal for configuring an external identity provider. No way currently exists to update these credentials so they should be treated as backup credentials and not used for normal access. Always login with your own identity from an external identity provider. These provide additional security features like multi-factor authentication. For more information see the Konvoy security documentation.

The operational portal admin credentials are stored as a secret. They never leave the boundary of the Kommander cluster and are never shared to any other cluster.

The Dex service issues an OIDC ID token on successful user authentication. Other Konvoy components use the ID token as an authentication proof. User identity to the Kubernetes API server is provided by the kube-oidc-proxy platform service that reads the identity from an ID token. Web requests to operations portal access are authenticated by the traefik-forward-auth platform service.

A user identity is shared across a Kommander cluster and all other provisioned clusters.

Kommander provisioned clusters

A newly provisioned cluster gets federated kube-oidc-proxy, dex-k8s-authenticator, and traefik-forward-auth platform services. These platform services are configured to accept Kommander cluster Dex issued ID tokens.

When the traefik-forward-auth is used as a Traefik ingress authenticator, it checks if the user identity was issued by the Kommander cluster Dex service. An anonymous user is redirected to the Kommander cluster Dex service to authenticate and confirm their identity.

Never enter your own credentials on any of the provisioned clusters. On the Kommander cluster use the static admin credentials or an external identity provider.

Authorization

There is no centralized authorization component in Kommander. Each component and service makes its own authorization decisions based on user identity.

Kommander provides an interface to federate authorization RBAC rules across multiple clusters.

• The Kubernetes API server is using RBAC Authorization.

• traefik-forward-auth applies RBAC rules to authorize access based on an HTTP request. The default Kommander workspace comes with preconfigured Roles for accessing different operational portal services with View, Edit, or Admin permissions.