github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-06-21 22:08:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

SAML authorization (#1487)

Browse Source 
* 🔨 Add `AUTH_SAML_ROLE_ATTRIBUTE` field to `ConfigMap`

* 📝 Document `tap.auth.saml.roleAttribute/roles` values

* 🔧 Re-generate `complete.yaml`

* 🔥 Remove `default` tag from `SamlConfig.RoleAttribute`

---------

Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
This commit is contained in:
Serhii Ponomarenko 2024-01-25 08:05:37 +08:00 committed by GitHub
parent c48187a02e
commit bfa3efd23a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
config/configStruct.go
View File

@ -61,6 +61,7 @@ func CreateDefaultConfig() ConfigStruct {
}, },
Auth: configStructs.AuthConfig{ Auth: configStructs.AuthConfig{
Saml: configStructs.SamlConfig{ Saml: configStructs.SamlConfig{
RoleAttribute: "role",
Roles: map[string]configStructs.Role{ Roles: map[string]configStructs.Role{
"admin": { "admin": {
Filter: "", Filter: "",

1
config/configStructs/tapConfig.go
View File

@ -94,6 +94,7 @@ type SamlConfig struct {
IdpMetadataUrl string `yaml:"idpMetadataUrl" json:"idpMetadataUrl"` IdpMetadataUrl string `yaml:"idpMetadataUrl" json:"idpMetadataUrl"`
X509crt string `yaml:"x509crt" json:"x509crt"` X509crt string `yaml:"x509crt" json:"x509crt"`
X509key string `yaml:"x509key" json:"x509key"` X509key string `yaml:"x509key" json:"x509key"`
RoleAttribute string `yaml:"roleAttribute" json:"roleAttribute"`
Roles map[string]Role `yaml:"roles" json:"roles"` Roles map[string]Role `yaml:"roles" json:"roles"`
} }

2
helm-chart/README.md
View File

@ -216,6 +216,8 @@ Please refer to [metrics](./metrics.md) documentation for details.
| `tap.auth.saml.idpMetadataUrl` | SAML IDP metadata URL <br/>(effective, if `tap.auth.type = saml`) | `` | | `tap.auth.saml.idpMetadataUrl` | SAML IDP metadata URL <br/>(effective, if `tap.auth.type = saml`) | `` |
| `tap.auth.saml.x509crt` | A self-signed X.509 `.cert` contents <br/>(effective, if `tap.auth.type = saml`) | `` | | `tap.auth.saml.x509crt` | A self-signed X.509 `.cert` contents <br/>(effective, if `tap.auth.type = saml`) | `` |
| `tap.auth.saml.x509key` | A self-signed X.509 `.key` contents <br/>(effective, if `tap.auth.type = saml`) | `` | | `tap.auth.saml.x509key` | A self-signed X.509 `.key` contents <br/>(effective, if `tap.auth.type = saml`) | `` |
| `tap.auth.saml.roleAttribute` | A SAML attribute name corresponding to user's authorization role <br/>(effective, if `tap.auth.type = saml`) | `role` |
| `tap.auth.saml.roles` | A list of SAML authorization roles and their permissions <br/>(effective, if `tap.auth.type = saml`) | `{"admin":{"canDownloadPCAP":true,"canReplayTraffic":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":""}}` |
| `tap.ingress.enabled` | Enable `Ingress` | `false` | | `tap.ingress.enabled` | Enable `Ingress` | `false` |
| `tap.ingress.className` | Ingress class name | `""` | | `tap.ingress.className` | Ingress class name | `""` |
| `tap.ingress.host` | Host of the `Ingress` | `ks.svc.cluster.local` | | `tap.ingress.host` | Host of the `Ingress` | `ks.svc.cluster.local` |

1
helm-chart/templates/12-config-map.yaml
View File

@ -19,6 +19,7 @@ data:
AUTH_APPROVED_DOMAINS: '{{ gt (len .Values.tap.auth.approvedDomains) 0 | ternary (join "," .Values.tap.auth.approvedDomains) "" }}' AUTH_APPROVED_DOMAINS: '{{ gt (len .Values.tap.auth.approvedDomains) 0 | ternary (join "," .Values.tap.auth.approvedDomains) "" }}'
AUTH_APPROVED_TENANTS: '{{ gt (len .Values.tap.auth.approvedTenants) 0 | ternary (join "," .Values.tap.auth.approvedTenants) "" }}' AUTH_APPROVED_TENANTS: '{{ gt (len .Values.tap.auth.approvedTenants) 0 | ternary (join "," .Values.tap.auth.approvedTenants) "" }}'
AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}' AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}'
AUTH_SAML_ROLE_ATTRIBUTE: '{{ .Values.tap.auth.saml.roleAttribute }}'
AUTH_SAML_ROLES: '{{ .Values.tap.auth.saml.roles | toJson }}' AUTH_SAML_ROLES: '{{ .Values.tap.auth.saml.roles | toJson }}'
TELEMETRY_DISABLED: '{{ not .Values.tap.telemetry.enabled | ternary "true" "" }}' TELEMETRY_DISABLED: '{{ not .Values.tap.telemetry.enabled | ternary "true" "" }}'
REPLAY_DISABLED: '{{ .Values.tap.replayDisabled | ternary "true" "" }}' REPLAY_DISABLED: '{{ .Values.tap.replayDisabled | ternary "true" "" }}'

1
helm-chart/values.yaml
View File

@ -67,6 +67,7 @@ tap:
idpMetadataUrl: "" idpMetadataUrl: ""
x509crt: "" x509crt: ""
x509key: "" x509key: ""
roleAttribute: role
roles: roles:
admin: admin:
filter: "" filter: ""

3
manifests/complete.yaml
View File

@ -151,6 +151,7 @@ data:
AUTH_APPROVED_DOMAINS: '' AUTH_APPROVED_DOMAINS: ''
AUTH_APPROVED_TENANTS: '' AUTH_APPROVED_TENANTS: ''
AUTH_SAML_IDP_METADATA_URL: '' AUTH_SAML_IDP_METADATA_URL: ''
AUTH_SAML_ROLE_ATTRIBUTE: 'role'
AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canReplayTraffic":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":""}}' AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canReplayTraffic":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":""}}'
TELEMETRY_DISABLED: '' TELEMETRY_DISABLED: ''
REPLAY_DISABLED: '' REPLAY_DISABLED: ''
@ -654,7 +655,7 @@ spec:
- name: REACT_APP_AUTH_TYPE - name: REACT_APP_AUTH_TYPE
value: 'saml' value: 'saml'
- name: REACT_APP_AUTH_SAML_IDP_METADATA_URL - name: REACT_APP_AUTH_SAML_IDP_METADATA_URL
value: '' value: ' '
- name: REACT_APP_REPLAY_DISABLED - name: REACT_APP_REPLAY_DISABLED
value: 'false' value: 'false'
image: 'docker.io/kubeshark/front:v52.1.0' image: 'docker.io/kubeshark/front:v52.1.0'