Hi, Had an offline chat with Nishadi on this.
On Tue, Feb 16, 2016 at 1:55 PM, Imesh Gunaratne <[email protected]> wrote: > Hi Nishadi, > > On Tue, Feb 16, 2016 at 12:10 PM, Nishadi Kirielle <[email protected]> > wrote: > >> Hi, >> >> As of now, it seems LDAP integration of Kuberenetes with IS has two basic >> approaches. >> >> First approach is to directly integrate LDAP with Kubernetes. It requires >> the authentication and authorization process to go through a LDAP >> connector. Although Kismatic has a LDAP/AD integration, it does not seem to >> be a complete implementation. [1] >> >> IMO this is the best approach. Why do you say Kismatic K8S LDAP > integration is not complete? > As pointed out by Nishadi, [1] seems to be the relevant github repository, but it has not been updated since mid 2015. However, Kismatic has announced that they actually support AD/LDAP integration with K8s [3]. > > Alternatively, we can do user provisioning through a client. The client >> can retrieve users from LDAP server and create contexts per user in K8s. A >> context includes a namespace that is specific to a user group, a user and >> the cluster that the user needs to access. Users can be given access to the >> context with tokens / username password credentials or through authorizing >> certificates. This configuration can be done via kube config file. [2] But >> this approach replicates user data in K8s. >> > > It would be difficult to manage if we replicate user data in two different > systems. > Agree that first approach is the best way, but inbound user provisioning is also a standard way of managing user AFAIK. We can discuss this more with Identity & Security experts. > > Thanks > [3]. https://kismatic.com/product/production-plugins/ > >> Suggestions are highly appreciated. >> >> [1]. https://github.com/kismatic/kubernetes-ldap >> [2]. http://kubernetes.io/v1.1/docs/user-guide/kubeconfig-file.html >> >> On Tue, Feb 9, 2016 at 11:40 AM, Nishadi Kirielle <[email protected]> >> wrote: >> >>> @Imesh : This configuration has to be done in kube api server. It >>> provides options to set the authorization mode in 'always allow', 'always >>> deny' or 'ABAC' modes. In using ABAC mode, it provides an option >>> --authorization-policy-file >>> to set the user configured authorization policy. [1] >>> >>> kube-apiserver --authorization-mode="" >>> kube-apiserver --authorization-policy-file="" >>> >>> @Chamila: >>> +1 for OpenLDAP. >>> >>> [1]. >>> https://github.com/kubernetes/kubernetes/blob/master/pkg/auth/authorizer/abac/example_policy_file.jsonl >>> >>> >>> On Tue, Feb 9, 2016 at 7:00 AM, Chamila De Alwis <[email protected]> >>> wrote: >>> >>>> Hi Nishadi, >>>> >>>> >>>> On Mon, Feb 8, 2016 at 11:11 PM, Nishadi Kirielle <[email protected]> >>>> wrote: >>>> >>>>> My initial plan is to connect a LDAP implementation like OpenDS or >>>>> ApacheDS with Kubernetes. >>>>> >>>> >>>> Is OpenLDAP[1] not an option? It has a long track record and is the >>>> case when most user scenarios are considered. >>>> >>>> >>>> [1] - http://www.openldap.org/ >>>> >>>> Regards, >>>> Chamila de Alwis >>>> Committer and PMC Member - Apache Stratos >>>> Software Engineer | WSO2 | +94772207163 >>>> Blog: code.chamiladealwis.com >>>> >>>> >>>> >>> >>> >>> -- >>> *Nishadi Kirielle* >>> *Software Engineering Intern* >>> Mobile : +94 (0) 714722148 >>> Blog : http://nishadikirielle.blogspot.com/ >>> [email protected] >>> >> >> >> >> -- >> *Nishadi Kirielle* >> *Software Engineering Intern* >> Mobile : +94 (0) 714722148 >> Blog : http://nishadikirielle.blogspot.com/ >> [email protected] >> > > > > -- > *Imesh Gunaratne* > Senior Technical Lead > WSO2 Inc: http://wso2.com > T: +94 11 214 5345 M: +94 77 374 2057 > W: http://imesh.gunaratne.org > Lean . Enterprise . Middleware > > -- Thanks and Regards, Isuru H. +94 716 358 048* <http://wso2.com/>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
