Hi, As of now, it seems LDAP integration of Kuberenetes with IS has two basic approaches.
First approach is to directly integrate LDAP with Kubernetes. It requires the authentication and authorization process to go through a LDAP connector. Although Kismatic has a LDAP/AD integration, it does not seem to be a complete implementation. [1] Alternatively, we can do user provisioning through a client. The client can retrieve users from LDAP server and create contexts per user in K8s. A context includes a namespace that is specific to a user group, a user and the cluster that the user needs to access. Users can be given access to the context with tokens / username password credentials or through authorizing certificates. This configuration can be done via kube config file. [2] But this approach replicates user data in K8s. Suggestions are highly appreciated. [1]. https://github.com/kismatic/kubernetes-ldap [2]. http://kubernetes.io/v1.1/docs/user-guide/kubeconfig-file.html On Tue, Feb 9, 2016 at 11:40 AM, Nishadi Kirielle <[email protected]> wrote: > @Imesh : This configuration has to be done in kube api server. It provides > options to set the authorization mode in 'always allow', 'always deny' or > 'ABAC' modes. In using ABAC mode, it provides an option > --authorization-policy-file > to set the user configured authorization policy. [1] > > kube-apiserver --authorization-mode="" > kube-apiserver --authorization-policy-file="" > > @Chamila: > +1 for OpenLDAP. > > [1]. > https://github.com/kubernetes/kubernetes/blob/master/pkg/auth/authorizer/abac/example_policy_file.jsonl > > > On Tue, Feb 9, 2016 at 7:00 AM, Chamila De Alwis <[email protected]> > wrote: > >> Hi Nishadi, >> >> >> On Mon, Feb 8, 2016 at 11:11 PM, Nishadi Kirielle <[email protected]> >> wrote: >> >>> My initial plan is to connect a LDAP implementation like OpenDS or >>> ApacheDS with Kubernetes. >>> >> >> Is OpenLDAP[1] not an option? It has a long track record and is the case >> when most user scenarios are considered. >> >> >> [1] - http://www.openldap.org/ >> >> Regards, >> Chamila de Alwis >> Committer and PMC Member - Apache Stratos >> Software Engineer | WSO2 | +94772207163 >> Blog: code.chamiladealwis.com >> >> >> > > > -- > *Nishadi Kirielle* > *Software Engineering Intern* > Mobile : +94 (0) 714722148 > Blog : http://nishadikirielle.blogspot.com/ > [email protected] > -- *Nishadi Kirielle* *Software Engineering Intern* Mobile : +94 (0) 714722148 Blog : http://nishadikirielle.blogspot.com/ [email protected]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
