In addition to external authentication providers, DKP also supports local authentication.

Local authentication provides user verification and access management with support for configurable password policies, two-factor authentication (2FA), and group management. The implementation complies with OWASP recommendations, ensuring reliable protection of access to the cluster and applications without requiring integration with external authentication systems.

Local authentication involves creating User and Group resources in the cluster for static users and groups:

  • A User object stores user information, including email and a hashed password (the password is not stored in plain text).
  • A Group object defines a list of users grouped together.

Creating a static user

To create a static user, create a User resource.

Example resource definition (note that the example includes a ttl):

apiVersion: deckhouse.io/v1
kind: User
metadata:
  name: admin
spec:
  email: admin@yourcompany.com
  password: $2a$10$etblbZ9yfZaKgbvysf1qguW3WULdMnxwWFrkoKpRH1yeWa5etjjAa
  ttl: 24h

Come up with a password and specify its hashed value in the password field. The password is stored in encrypted form (bcrypt).
You can generate the hash using the following command:

echo "$password" | htpasswd -BinC 10 "" | cut -d: -f2 | base64 -w0

If htpasswd command not found, you need to install apache2-utils package for Debian-based distribution and httpd-utils for CentOS-based distribution. If the htpasswd command is not available, install the appropriate package:

  • apache2-utils — for Debian-based distributions.
  • httpd-tools — for CentOS-based distributions.
  • apache2-htpasswd — for ALT Linux.

Adding a user to a group

It is forbidden to use users and groups with the system: prefix.
Authentication attempts by such users or members of such groups will be rejected, and a corresponding warning will appear in the kube-apiserver logs.

To group static users together, create a Group resource.

Example resource definition:

apiVersion: deckhouse.io/v1alpha1
kind: Group
metadata:
  name: admins
spec:
  name: admins
  members:
    - kind: User
      name: admin

Where members is a list of users belonging to the group.

Once the group is created and includes all necessary users, proceed by configuring authorization.

Configuring password policy

Password policy allows controlling password complexity, rotation, and user lockout.

To set up a password policy, use the passwordPolicy field in the configuration of the user-authn module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: user-authn
spec:
  version: 2
  enabled: true
  settings:
    passwordPolicy:
      complexityLevel: Fair
      passwordHistoryLimit: 10
      lockout:
        lockDuration: 15m
        maxAttempts: 3
      rotation:
        interval: "30d"

Field description:

  • complexityLevel: Password complexity level.
  • passwordHistoryLimit: Number of previous passwords stored in the system to prevent their reuse.
  • lockout: Lockout settings after exceeding the limit of failed login attempts:
    • lockout.maxAttempts: Limit of allowed failed login attempts.
    • lockout.lockDuration: User lockout duration.
  • rotation: Password rotation settings:
    • rotation.interval: Period for mandatory password change.

Configuring two-factor authentication (2FA)

2FA increases security by requiring a code from a TOTP authenticator application (for example, Google Authenticator) during login.

To set up 2FA, use the staticUsers2FA field in the configuration of the user-authn module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: user-authn
spec:
  version: 2
  enabled: true
  settings:
    staticUsers2FA:
      enabled: true
      issuerName: "awesome-app"

Field description:

  • enabled: Enables or disables 2FA for all static users.
  • issuerName: Name displayed in the authenticator application when adding an account.

After enabling 2FA, each user must register in the authenticator application during their first login.