Authentication needs more details #761
Comments
|
which part do you struggle with? I am not very familiar with azure. I tried a bit and it worked with this: ui:
openIDConnect:
enabled: true
discoveryUrl: https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
callbackUrl: http://localhost:8082/callback
clientId: 31adb89f-1162-404b-... # clientId
clientSecret: <generated client secret> # certificate & secrets -> new client secret key
groupClaim: "groups"Steps I did in azure:
When you configure access control with your Azure groups be aware that azure adds the roles with there IDs ui:
customBoards:
- name: Infrastructure
namespaces:
selector:
team: infra
accessControl:
groups: [92ae7bb0-1720-4794-a47d-997bc000460c]
|
|
I will try to improve the documentation over time but its a bit much to provide examples for all common OpenIDConnect clients. |
|
Thanks a lot for reply.
Thanks for clarifying, it works now. The issue now is:
How can I allow Infrastructure team to see only their reports (authorization)
V2 
V3 
|
With a list of policy names?
https://kyverno.github.io/policy-reporter-docs/policy-reporter/report-processing.html#source-filter It automatically skips all reports for Pod resurces if they are owned by a controller resource. This reduces duplication of information because kyverno generates in most cases duplicated reports for e.g. deployments, replicasets and pods. If you do not have pods without a controller, it will not show any Pod report or filter.
|
|
As Admin, I would like to see everything, but for developers, I would like that each team can see only their namespaces
|
|
filter namespaces is possible. As documented you can use a fixed list of namespaces or labels to select them. In the example namspaces are selected via labels: namespaces:
selector:
team: infra |
|
Yeah, but they will still see everything 
Yes, Both lists are from the same cluster
|
|
You can add accessControl to all default boards (currently not per board). This will hide these boards for your e.g. infra team: ui:
boards:
accessControl:
groups: ['admin'] |
|
It does not work, and concerning the groups you told me above
Did you test it? a screenshot can perhaps help Thanks |
|
Sorry, I found an issue in the Helm Chart, which did not map the boards configuration into the UI config. I tested it in my local setup, which worked. Preparing a fix for it. |
|
Thanks a lot. My hope is that developers could see only their custom borads and not the icons below 
And for your question
Yes, Both lists are from the same cluster |
|
You can update to helm chart version Could you provide a screen of the result of kubectl get cpol -o wide |
Do the missing policies provide any results? Could be the case that policies which do not produce any result are not shown in this list. Will see if I can improve this when the kyverno plugin is used. |
|
Are you sure that 3.0.3 is published |
|
Can you please check again? The publish action failed |
|
The same thing, there is only version 3.0.0 |
|
This is the underlaying chart repo: https://kyverno.github.io/policy-reporter/index.yaml As you see the latest item is Helm Chart Version 3.0.3 / App Version: 3.0.0 ➜ policy-reporter git:(main) helm search repo policy-reporter
NAME CHART VERSION APP VERSION DESCRIPTION
policy-reporter/policy-reporter 3.0.3 3.0.0 Policy Reporter watches for PolicyReport Resour... |
|
It was an issue with cache, now I got chart version 3.0.3 Now looks better with customBoards, so now i can assign customBoards to developers based on groups. Thanks a lot but Boards does not work as expected, Im not sure about the group name admin, where should I configure the admin group in the App or how? I got 
|
|
The |
|
I added then I could see all my policies another issue is when I try to use secretRef to authenticate, the secret get not mounted into the deployment and I already opened a PR for it #771 |
|
I just released a new Helm Chart version which should display your policies in the list even if they don't produce a result. This is not how secretRefs working. They don't need to be attached to the deployment. They are fetched at runtime. See https://github.com/kyverno/policy-reporter-ui/blob/main/backend/pkg/kubernetes/secrets/client.go#L35 for the expected keys of the secret |
|
https://kyverno.github.io/policy-reporter-docs/policy-reporter-ui/authentication.html has examples under "helm + secretRefs". |
|
I tested it with secretRef a lot of times but it does not work and also when decode the policy-reporter-ui-config secret, I got and when I add the secret to values.yaml file, I got |
|
could you reopen it please |
|
will check again but as I already mentioned. Its fetched at runtime, you will not see the values in the other secret / config |
|
Thanks a lot for replying. The authentication works when we set the discoveryUrl in the values and not in the secret with clientId and clientSecret. we have another issue now, we are using the nginx ingress controller (not the community one) on the clusters, and when we set ui.replicaCount to 3, something goes wrong because the auth requires the sessions if there are multiple replicas, any idea how we can solve it (the ingress)? |
|
another issue now we can not see the pod reports with the new version even with Thanks |
doesn not work anyway. You need to set the selector for kyverno sourceFilters:
- selector:
source: kyverno
uncontrolledOnly: false
disableClusterReports: false
kinds:
exclude: [ReplicaSet] |
|
it does not show the pods even after restarting pods 
|
Hi @fjogeleit ui:
enabled: true
openIDConnect:
# -- Enable openID Connect authentication
enabled: true
# -- OpenID Connect Discovery URL
discoveryUrl: "https://login.microsoftonline.com/tenantId/v2.0"
# -- OpenID Connect Callback URL
callbackUrl: "https://reporter-host/callback"
# -- OpenID Connect ClientID
clientId: ""
# -- OpenID Connect ClientSecret
clientSecret: ""
# -- Optional Group Claim to map user groups to the profile
# groups can be used to define access control for clusters, boards and custom boards.
groupClaim: "groups"
# -- OpenID Connect allowed Scopes
scopes: ["openid"]
boards:
accessControl:
groups: ["xxxxxxxx-xxxx-xxxx-xxxx-08bffc32272a"] |
|
I think boards should be under ui and Not openIDConnect. So your indentation Looks wrong |
you are 100% right! |
and others
Hello,
I'd like to request the documentation in details how to setup authentication as It's not clear how to setup it in the official page.
As a good example, see https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/microsoft/#entra-id-app-registration-auth-using-oidc
If you could give an example how we could implement the authentication on azure using openidConnect and allow specifc Group to see only x customBoard would be great (Actually I implemented it but I cannot split the boards and implement the authorization)
Another issue that I got is when I add accessControl to customBoards, the customBoard does not appear in the UI?
Thanks
The text was updated successfully, but these errors were encountered: