Hi Nishadi, On Tue, Feb 16, 2016 at 12:10 PM, Nishadi Kirielle <[email protected]> wrote:
> Hi, > > As of now, it seems LDAP integration of Kuberenetes with IS has two basic > approaches. > > First approach is to directly integrate LDAP with Kubernetes. It requires > the authentication and authorization process to go through a LDAP > connector. Although Kismatic has a LDAP/AD integration, it does not seem to > be a complete implementation. [1] > > IMO this is the best approach. Why do you say Kismatic K8S LDAP integration is not complete? Alternatively, we can do user provisioning through a client. The client can > retrieve users from LDAP server and create contexts per user in K8s. A > context includes a namespace that is specific to a user group, a user and > the cluster that the user needs to access. Users can be given access to the > context with tokens / username password credentials or through authorizing > certificates. This configuration can be done via kube config file. [2] But > this approach replicates user data in K8s. > It would be difficult to manage if we replicate user data in two different systems. Thanks > > Suggestions are highly appreciated. > > [1]. https://github.com/kismatic/kubernetes-ldap > [2]. http://kubernetes.io/v1.1/docs/user-guide/kubeconfig-file.html > > On Tue, Feb 9, 2016 at 11:40 AM, Nishadi Kirielle <[email protected]> > wrote: > >> @Imesh : This configuration has to be done in kube api server. It >> provides options to set the authorization mode in 'always allow', 'always >> deny' or 'ABAC' modes. In using ABAC mode, it provides an option >> --authorization-policy-file >> to set the user configured authorization policy. [1] >> >> kube-apiserver --authorization-mode="" >> kube-apiserver --authorization-policy-file="" >> >> @Chamila: >> +1 for OpenLDAP. >> >> [1]. >> https://github.com/kubernetes/kubernetes/blob/master/pkg/auth/authorizer/abac/example_policy_file.jsonl >> >> >> On Tue, Feb 9, 2016 at 7:00 AM, Chamila De Alwis <[email protected]> >> wrote: >> >>> Hi Nishadi, >>> >>> >>> On Mon, Feb 8, 2016 at 11:11 PM, Nishadi Kirielle <[email protected]> >>> wrote: >>> >>>> My initial plan is to connect a LDAP implementation like OpenDS or >>>> ApacheDS with Kubernetes. >>>> >>> >>> Is OpenLDAP[1] not an option? It has a long track record and is the case >>> when most user scenarios are considered. >>> >>> >>> [1] - http://www.openldap.org/ >>> >>> Regards, >>> Chamila de Alwis >>> Committer and PMC Member - Apache Stratos >>> Software Engineer | WSO2 | +94772207163 >>> Blog: code.chamiladealwis.com >>> >>> >>> >> >> >> -- >> *Nishadi Kirielle* >> *Software Engineering Intern* >> Mobile : +94 (0) 714722148 >> Blog : http://nishadikirielle.blogspot.com/ >> [email protected] >> > > > > -- > *Nishadi Kirielle* > *Software Engineering Intern* > Mobile : +94 (0) 714722148 > Blog : http://nishadikirielle.blogspot.com/ > [email protected] > -- *Imesh Gunaratne* Senior Technical Lead WSO2 Inc: http://wso2.com T: +94 11 214 5345 M: +94 77 374 2057 W: http://imesh.gunaratne.org Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
