Table of contents
There are two user roles in Octopod:
- user
- admin
| role | managing deployments | viewing deployment logs |
|---|---|---|
| user | ✅ | ❌ |
| admin | ✅ | ✅ |
Web UI users have the user role.
octo CLI users have the admin role.
There is currently no way to give someone access to octo CLI without giving them the admin role since authentication is done through SSL certificates instead of through OAuth.
Octopod Server is deployed in the octopod Kubernetes namespace. Deployments are deployed in the deployments namespace.
Octopod Server uses the octopod Service Account.
Freeing resources might require Octopod Server / control scripts to have privileges to delete certificates and Persistent Volumes Claims. (It depends on the specifics of the Kubernetes setup and control scripts)
Access can be configured through RBAC:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-control-clusterrole
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["list", "delete", "deletecollection"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: octopod-cert-control-rolebinding
namespace: deployments
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: cert-control-clusterrole
subjects:
- kind: ServiceAccount
name: octopod
namespace: octopod---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pvc-control-clusterrole
rules:
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["list", "delete", "deletecollection"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: octopod-pvc-control-rolebinding
namespace: deployments
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: pvc-control-clusterrole
subjects:
- kind: ServiceAccount
name: octopod
namespace: octopodAuthentication between the Web UI and Octopod Server is done through Basic Auth. The Bearer token is read by the Web UI after the page is loaded as part of the config. By default, everything, including the config, can be accessed without any authentication. For ways of mitigating this please see the next section.
The Web UI on its own does not have any authentication whatsoever, meaning that anyone can open it and manage your deployments. Luckily, Kubernetes can be configured to authenticate users before they get access to the Web UI. It can be set up to authenticate users through Ingress which supports external authentication services. You can set up OAuth2 Proxy in your cluster to support numerous OAuth services. For example, if you use GitHub, you can set up OAuth2 Proxy to use GitHub to automatically grant users access to Octopod when you add them to your organization in GitHub.
Authentication between octo CLI and Octopod Server is done through an SSL certificate that is generated when deploying Octopod.