Dashboard: Support passthrough of impersonation headers

Created on 17 Mar 2019  路  8Comments  路  Source: kubernetes/dashboard
What would you like to be added

Right now you can upload a kubeconfig with a token or embed on in the Authorization header from a reverse proxy. What would be good is to support the impersonation headers from .a reverse proxy. There would need to be some additional documentation of proper controls too.

Why is this needed

This would make it possible for the dashboard to work on cloud provider implementations (ie eks/aks/gke) without direct tie-in to their own proprietary identity apis. This would also keep pace with the API server's capabilities for advanced authentication.

Comments

I'd be happy to work on this and submit a PR if it's a feature that would be accepted.

cc @sig-ui

kinfeature
Source
picture mlbiam
👍1

Most helpful comment

life's my gotten in my way :-/ good news is i hope to pick this back up in the next week or two

picture mlbiam on 4 Jun 2019
🎉2

All 8 comments

Sounds good to me. I'll cc other guys.

cc @kubernetes/dashboard-maintainers

maciaszczykm picture maciaszczykm on 18 Mar 2019

You are welcome to work on that. We need some kind of proposal/PoC on how it would work in Dashboard.

floreks picture floreks on 21 Mar 2019

Sweet! +1 on a PoC. Let us know if you need anything or have any questions. :)

/pony yay

jeefy picture jeefy on 21 Mar 2019

@jeefy: pony image

In response to this:

Sweet! +1 on a PoC. Let us know if you need anything or have any questions. :)

/pony yay

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot picture k8s-ci-robot on 21 Mar 2019

Here's the basic design:

  1. User authenticates to the reverse proxy
  2. Reverse proxy has a token that is authorized to impersonate, injects the token plus impersonation headers into each request to the dashboard
  3. Dashboard forwards the headers to the api server on all requests (same as Authorization header today)

Same rules as using the Authorization header token from the dashboard:

  1. Must use TLS
  2. Dashboard service account has minimal permissions

From a security standpoint, the burden is on the reverse proxy to properly secure its self
k8s_dashboard_impersonation

mlbiam picture mlbiam on 21 Mar 2019
👍2

@mlbiam Hey, any updates?

maciaszczykm picture maciaszczykm on 30 May 2019

life's my gotten in my way :-/ good news is i hope to pick this back up in the next week or two

mlbiam picture mlbiam on 4 Jun 2019
🎉2

Awesome! @mlbiam let us know if there's anything you need. Thanks!

jeefy picture jeefy on 5 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

maciaszczykm picture maciaszczykm  路  3Comments
MichaelJCole picture MichaelJCole  路  5Comments
Eddman picture Eddman  路  4Comments
eloyekunle picture eloyekunle  路  3Comments
shu-mutou picture shu-mutou  路  3Comments