Kubernetes:应用程序的 SAML
Kubernetes: SAML for the application
对于部署在 Kubernetes 中的应用程序,是否有任何建议的 SAML 集成指导文档?我的搜索 foo 正在抛弃我。
大多数文档都是针对 Kubernetes 本身的,而不是针对应用程序的。应用程序不会知道 Kubernetes RBAC 等
在 official documentation 中,您可以找到以下部分:
Kubernetes uses client certificates, bearer tokens, or an authenticating proxy to authenticate API requests through authentication plugins. As HTTP requests are made to the API server, plugins attempt to associate the following attributes with the request:
- Username: a string which identifies the end user. Common values might be
kube-admin or jane@example.com.
- UID: a string which identifies the end user and attempts to be more consistent and unique than username.
- Groups: a set of strings, each of which indicates the user's membership in a named logical collection of users. Common values might be
system:masters or devops-team.
- Extra fields: a map of strings to list of strings which holds additional information authorizers may find useful.
All values are opaque to the authentication system and only hold significance when interpreted by an authorizer.
You can enable multiple authentication methods at once. You should usually use at least two methods:
- service account tokens for service accounts
- at least one other method for user authentication.
When multiple authenticator modules are enabled, the first module to successfully authenticate the request short-circuits evaluation. The API server does not guarantee the order authenticators run in.
The system:authenticated group is included in the list of groups for all authenticated users.
Integrations with other authentication protocols (LDAP, SAML, Kerberos, alternate x509 schemes, etc) can be accomplished using an authenticating proxy or the authentication webhook.
如您所见,要将 SAML 添加到您的配置中,您可以使用 authenticating proxy or the authentication webhook。
如果您搜索如何在 Kubernetes 中设置 SAML 的示例,您可以阅读 this article。
但是,在绝大多数情况下,SAML 将扩展(而不是替换)RBAC 功能。另见文章 How SAML 2.0 Authentication Works?
对于部署在 Kubernetes 中的应用程序,是否有任何建议的 SAML 集成指导文档?我的搜索 foo 正在抛弃我。
大多数文档都是针对 Kubernetes 本身的,而不是针对应用程序的。应用程序不会知道 Kubernetes RBAC 等
在 official documentation 中,您可以找到以下部分:
Kubernetes uses client certificates, bearer tokens, or an authenticating proxy to authenticate API requests through authentication plugins. As HTTP requests are made to the API server, plugins attempt to associate the following attributes with the request:
- Username: a string which identifies the end user. Common values might be
kube-adminorjane@example.com.- UID: a string which identifies the end user and attempts to be more consistent and unique than username.
- Groups: a set of strings, each of which indicates the user's membership in a named logical collection of users. Common values might be
system:mastersordevops-team.- Extra fields: a map of strings to list of strings which holds additional information authorizers may find useful.
All values are opaque to the authentication system and only hold significance when interpreted by an authorizer.
You can enable multiple authentication methods at once. You should usually use at least two methods:
- service account tokens for service accounts
- at least one other method for user authentication.
When multiple authenticator modules are enabled, the first module to successfully authenticate the request short-circuits evaluation. The API server does not guarantee the order authenticators run in.
The
system:authenticatedgroup is included in the list of groups for all authenticated users.Integrations with other authentication protocols (LDAP, SAML, Kerberos, alternate x509 schemes, etc) can be accomplished using an authenticating proxy or the authentication webhook.
如您所见,要将 SAML 添加到您的配置中,您可以使用 authenticating proxy or the authentication webhook。
如果您搜索如何在 Kubernetes 中设置 SAML 的示例,您可以阅读 this article。
但是,在绝大多数情况下,SAML 将扩展(而不是替换)RBAC 功能。另见文章 How SAML 2.0 Authentication Works?