I am starting to experiment with Oauth2 authorisation for a Kubernetes cluster.
I have found a good Oauth2 identity provider using UAA
My original intention was to deploy this into a Kubernetes cluster, and then allow it to provide authentication over that cluster. This would provide a single sign on solution hosted in the cloud, and enable that solution to manage Kubernetes access as well as access to the applications running on my cluster.
However, when thinking this solution through, there would seem to be some edge cases where this kind of configuration could be catastrophic. For instance if my cluster stops then I do not think I will be able to restart that cluster, as the Oauth2 provider would not be running, and thus I could not be authenticated to perform any restart operations.
Many Thanks for taking the time to read this !
The use of UAA consists of two 2 procedures—authentification and authorization—where the latter allows for performing certain actions within a cluster. They are used through the kubectl command-line tool.
One can use 2 existing modules of authorization (ABAC and RBAC). Here you can find a side-by-side comparison of these two options where the author vouched for the RBAC mode as it "doesn’t require the API server to be restarted every time the policy files get updated".
If I understood your question right, this article may be of help.
Kubernetes support multiple authentication( ref: https://kubernetes.io/docs/reference/access-authn-authz/authentication/).
You can enable multiple of them. You can log into kubernetes cluster using any of the them(if they enabled and configured correctly) .
According to kubernetes documentation: When multiple authenticator modules are enabled, the first module to successfully authenticate the request short-circuits evaluation. The API server does not guarantee the order authenticators run in.
So, if you enable multiple authentication, i think you are fine. I am using kubernetes cluster. In that cluster certificates authentication and webhook token authentication using guard is enabled. And this guard is running in that kubernetes cluster.