How to secure Kibana dashboard using keycloak-gatekeeper?

8/14/2019

Current flow:

incoming request (/sso-kibana) --> Envoy proxy --> /sso-kibana

Expected flow:

incoming request (/sso-kibana) --> Envoy proxy --> keycloak-gatekeeper --> keycloak

--> If not logged in --> keycloak loging page --> /sso-kibana

--> If Already logged in --> /sso-kibana

I deployed keycloak-gatekeeper as a k8s cluster which has the following configuration:

keycloak-gatekeeper.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: keycloak-gatekeeper
  name: keycloak-gatekeeper
spec:
  selector:
    matchLabels:
      app: keycloak-gatekeeper
  replicas: 1
  template:
    metadata:
      labels:
        app: keycloak-gatekeeper
    spec:
      containers:
        - image: keycloak/keycloak-gatekeeper
          imagePullPolicy: Always
          name: keycloak-gatekeeper
          ports:
            - containerPort: 3000
          args:
            - "--config=/keycloak-proxy-poc/keycloak-gatekeeper/gatekeeper.yaml"
            - "--enable-logging=true"
            - "--enable-json-logging=true"
            - "--verbose=true"
          volumeMounts:
             -
              mountPath: /keycloak-proxy-poc/keycloak-gatekeeper
              name: secrets
      volumes:
        - name: secrets
          secret:
           secretName: gatekeeper

gatekeeper.yaml

discovery-url: https://keycloak/auth/realms/MyRealm
enable-default-deny: true
listen: 0.0.0.0:3000
upstream-url: https://kibana.k8s.cluster:5601
client-id: kibana
client-secret: d62e46c3-2a65-4069-b2fc-0ae5884a4952

Envoy.yaml

- name: kibana
    hosts: [{ socket_address: { address: keycloak-gatekeeper, port_value: 3000}}]

Problem:

I am able to invoke keycloak login on /Kibana but after login user is not going to /Kibana url i.e. Kibana dashboard is not loading.

Note: Kibana is also running as k8s cluster.

References:
https://medium.com/@vcorreaniche/securing-serverless-services-in-kubernetes-with-keycloak-gatekeeper-6d07583e7382

https://medium.com/stakater/proxy-injector-enabling-sso-with-keycloak-on-kubernetes-a1012c3d9f8d

Update 1:

I'm able to invoke keycloak login on /sso-kibana but after entering credentials its giving 404. The flow is following:

Step 1. Clicked on http://something/sso-kibana
Step 2. Keycloak login page opens at https://keycloak/auth/realms/THXiRealm/protocol/openid-connect/auth?...
Step 3. After entering credentials redirected to this URL https://something/sso-kibana/oauth/callback?state=890cd02c-f...
Step 4. 404

Update 2:

404 error was solved after I added a new route in Envoy.yaml

Envoy.yaml

  - match: { prefix: /sso-kibana/oauth/callback }
                route: { prefix_rewrite: "/", cluster: kibana.k8s.cluster }

Therefore, Expected flow (as shown below) is working fine now.

incoming request (/sso-kibana) --> Envoy proxy --> keycloak-gatekeeper --> keycloak

--> If not logged in --> keycloak loging page --> /sso-kibana

--> If Already logged in --> /sso-kibana

-- Affy
keycloak
keycloak-gatekeeper
kibana
kubernetes

1 Answer

8/20/2019

In your config you explicitly enabled enable-default-deny which is explained in the documentation as:

enables a default denial on all requests, you have to explicitly say what is permitted (recommended)

With that enabled, you will need to specify urls, methods etc. either via resources entries as shown in [1] or an commandline argument [2]. In case of Kibana, you can start with:

resources:
- uri: /app/*

[1] https://www.keycloak.org/docs/latest/securing_apps/index.html#example-usage-and-configuration

[2] https://www.keycloak.org/docs/latest/securing_apps/index.html#http-routing

-- Joe
Source: StackOverflow