Install K10 with Basic Authentication


Userlevel 7
Badge +22

For demos, test environments and home labs you may not want to be deal with more complicated forms of Authentication or copying and pasting tokens. Basic Authentication is available for Kasten and quite simple to setup. Make sure that you have the htpasswd utility installed in your system.

 

First create your password file:

htpasswd -c -B -b htpass.pass geoff Mytoughpassword

 

htpasswd -B -b htpass.pass heather  passworddifficult

Here I am adding the user geoff with the Mytoughpassword passwrod

The -c only needs to be used once when creating the file. If you use it again it will wipe out your existing users.

Next I will use a user called heather with password passworddifficult

 

Next we need to create a secret in the kasten-io namespace in our cluster that Kasten will leverage:

 

kubectl create secret generic -n kasten-io kastenusers --from-file=htpass.pass

 

Now we will install Kasten and point it to the our secret while enabling basic authentication:

 

helm install k10 kasten/k10 --namespace=kasten-io  --set auth.basicAuth.enabled=true --set auth.basicAuth.secretName=kastenusers

 

After Kasten installs you should be able to access the Dashboard with basic authentication. 


8 comments

Userlevel 7
Badge +20

Nice to see this. Still working to get in to Kasten but hopefully soon. 😂

Userlevel 3

hello Geoff,

I configured my K10 (5.5.10) with basic authentication for a couple of user (user1 and user2) and all work fine, but now I need configure K10 dashboard access giving  admin privileges at user1, using default k10-admin cluster role,  and  read-only privileges at user2, using default k10-config-view cluster role. For both user I created the rolebinding to related clusterrole.

With both user, when I try to login in the K10 Dashboard the access work fine but the privileges are for both k10-admin.

Following the K10 doc I not find any limitation due to basic authentication method but my suspicius are that just with OIDC or LDAP authentication we can profile the access correctly ? may be or I wrong something in my configuration ?

In the last case have any link with clarification example for basic authentication configuration and RBAC dashboard rules ?

 

kind regards

 

Userlevel 7
Badge +22

Hi Luca,

I am a bit exhausted from VeeamON so could be wrong. The problem with basic authentication is that those users won’t be able to use RBAC in kubernetes. Kubernetes does not have users, you can create certificates, service accounts, or use outside of the cluster mechanisms like openid connect etc and apply clusterolebindings and rolebindings to them but not to something in a secret that was created from an htpass file. Again a bit of Miami too much sun but I think I am correct.

check out these links:

https://kubernetes.io/docs/reference/access-authn-authz/authentication/

 

https://docs.kasten.io/latest/access/authorization.html

Userlevel 7
Badge +22

you could also create your own keycloak and use OpenID connect. I did a post about that too. Try it out and if you have any problems post any issues and I will try to help

 

 

Userlevel 3

Hi Luca,

I am a bit exhausted from VeeamON so could be wrong. The problem with basic authentication is that those users won’t be able to use RBAC in kubernetes. Kubernetes does not have users, you can create certificates, service accounts, or use outside of the cluster mechanisms like openid connect etc and apply clusterolebindings and rolebindings to them but not to something in a secret that was created from an htpass file. Again a bit of Miami too much sun but I think I am correct.

check out these links:

https://kubernetes.io/docs/reference/access-authn-authz/authentication/

 

https://docs.kasten.io/latest/access/authorization.html

Thank you for clarification

regards

 

Luca

Userlevel 7
Badge +22

Actually just reviewed the Kub docs it does claim RBAC support for basic authentication. I will look into this a bit more tomorrow.

 

cheers

Userlevel 7
Badge +22

So the issue here is that the basic authentication that you are using is only seen by the K10 application. So you won’t be able to leverage RBAC. What you would need to do is enable basic authentication in your Kubernetes cluster but changing the Kubeapi server arguments to point to a static password file in csv format. Here is a post explaining that https://gcore.com/blog/kubernetes-authentication/

 

If you want to test in Minikube here are some instructions as well:

https://techexpertise.medium.com/setting-up-basic-authentication-for-kubernetes-cluster-on-minikube-1-e84e1b56c64

So you would be able leverage RBAC on those users. As for K10 I will need to test this, i.e. if we then create basic auth in Kasten with the same username. 

I have never tried this and this would only be for test purposes. For production you would want to use something more robust and secure.

I will give it a try for fun and get back to you. 

 

Userlevel 3

So the issue here is that the basic authentication that you are using is only seen by the K10 application. So you won’t be able to leverage RBAC. What you would need to do is enable basic authentication in your Kubernetes cluster but changing the Kubeapi server arguments to point to a static password file in csv format. Here is a post explaining that https://gcore.com/blog/kubernetes-authentication/

 

If you want to test in Minikube here are some instructions as well:

https://techexpertise.medium.com/setting-up-basic-authentication-for-kubernetes-cluster-on-minikube-1-e84e1b56c64

So you would be able leverage RBAC on those users. As for K10 I will need to test this, i.e. if we then create basic auth in Kasten with the same username. 

I have never tried this and this would only be for test purposes. For production you would want to use something more robust and secure.

I will give it a try for fun and get back to you. 

 

Thank you Geoff, very interesting and I'll try too it in my lab, but as you said this would only be for test purpose, and I’m agree with you, not just for security but also for not supported/documentated configuration by kasten that could give me some problem in case of an issue.

Comment