The user-authn module: Custom Resources

DexAuthenticator

Scope: Namespaced

After the DexAuthenticator object appears in the namespace, the following objects will be created:

Deployment containing OAuth2-Proxy and Redis containers;
Service, pointing to OAuth2-Proxy;
Ingress resource, configured to receive requests on https://<applicationDomain>/dex-authenticator and send it to a service side;
Secrets, needed to access Dex.

Warning. After restarting a pod with an OAuth2-Proxy, the current Access Token and ID Token will be queried (using the refresh token) and stored in a Redis memory.

Example:

apiVersion: deckhouse.io/v1
kind: DexAuthenticator
metadata:
  name: app-name
  namespace: app-namespace
spec:
  applicationDomain: app-name.kube.my-domain.com
  sendAuthorizationHeader: false
  applicationIngressCertificateSecretName: ingress-tls
  applicationIngressClassName: nginx
  keepUsersLoggedInFor: 720h
  allowedGroups:
  - everyone
  - admins
  whitelistSourceRanges:
  - 1.1.1.1/32
  - 192.168.0.0/24
  additionalApplications:
  - domain: additional-app-name.kube.my-domain.com
    ingressSecretName: ingress-tls
    ingressClassName: nginx
    signOutURL: "/logout"
    whitelistSourceRanges:
    - 2.2.2.2/32

spec
object
Required value
- spec.additionalApplications
  array of objects
  A list of additional applications for which user authentication is required.
  - spec.additionalApplications.domain
    string
    Required value
    An application domain from which the user request will be redirected for authentication in Dex.
    
    Warning. Must be specified without HTTP scheme.
    
    Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  - spec.additionalApplications.ingressClassName
    string
    Required value
    The name of the Ingress class to be used in the Ingress resource (it must match the Ingress class name for the application domain).
    
    Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  - spec.additionalApplications.ingressSecretName
    string
    The name of the Secret containing the TLS certificate (from the domain) used in the applications Ingress resource. The Secret must be in the same namespace as DexAuthenticator.
    
    Pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$
  - spec.additionalApplications.signOutURL
    string
    The URL of the application from which requests will be redirected to the sign-out URL of the dex-authenticator.
    
    It is used in the application to direct logout requests. A separate Ingress resource will be created for the specified URL, and requests to it will be redirected to dex-authenticator.
  - spec.additionalApplications.whitelistSourceRanges
    array of strings
    CIDRs that are allowed to authenticate. Authentication is allowed without IP address restrictions, If not specified.
    
    Example:
    whitelistSourceRanges: - 192.168.42.0/24
    - Element of the array
      string
      Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$
- spec.allowedGroups
  array of strings
  A list of groups whose members are allowed to connect to the client.
  
  By default, all groups can connect.
  
  Default: All groups are allowed.
- spec.applicationDomain
  string
  Required value
  An address for the application (DNS domain for Ingress resource) from which the user request will be redirected for authentication in Dex.
  
  Warning. Must be specified without HTTP scheme.
  
  Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  Example:
  applicationDomain: my-app.domain.com
- spec.applicationIngressCertificateSecretName
  string
  The name of the Secret containing the TLS certificate for the application domain (is used in the Ingress resource). The Secret must be located in the same namespace as the DexAuthenticator.
  
  Pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$
  Example:
  applicationIngressCertificateSecretName: ingress-tls
- spec.applicationIngressClassName
  string
  Required value
  The name of the Ingress class to be used in the Ingress resource (it must match the Ingress class name for the application domain).
  
  Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  Example:
  applicationIngressClassName: nginx
- spec.keepUsersLoggedInFor
  string
  User session will be kept for specified amount of time even if user will not log in. Specified with s, m or h suffix.
  
  Default: "168h"
  Example:
  keepUsersLoggedInFor: 24h
- spec.nodeSelector
  object
  If specified, the dex-authenticator pods nodeSelector.
  
  Format: the standard nodeSelector list. Instance pods inherit this field as is.
- spec.sendAuthorizationHeader
  boolean
  Request to application will be sent with Authorization: Bearer header when the option is switched to true.
- spec.signOutURL
  string
  The URL of the application from which requests will be redirected to the sign-out URL of the dex-authenticator.
  
  It is used in the application to direct logout requests. A separate Ingress resource will be created for the specified URL, and requests to it will be redirected to dex-authenticator.
- spec.tolerations
  array of objects
  If specified the dex-authenticator pods tolerations.
  
  Format: the standard toleration list. Instance pods inherit this field as is.
  - spec.tolerations.effect
    string
    Defines the taint’s effect this toleration is associated with (it matches any effect if empty).
    
    Allowed values: NoSchedule, PreferNoSchedule, NoExecute
  - spec.tolerations.key
    string
    Defines the taint’s key this toleration is associated with (it matches any key if empty).
    
    If the key is omitted (emplty), then operator must be set to Exists (which means it matches any value and key).
  - spec.tolerations.operator
    string
    Defines how the key and its value are linked — whether the key must be Equal to the value or can have any value.
    
    Setting it to Exists is equivalent to the value having any value so that the pod with the specified toleration can match the corresponding taint.
    
    Default: "Equal"
    Allowed values: Exists, Equal
  - spec.tolerations.tolerationSeconds
    integer
    Specifies the period (in seconds) that the scheduler waits before evicting a Pod from a node if the toleration no longer matches the taint (only applicable to the NoExecute effect, otherwise ignored).
    
    If the parameter is not set, the Pod will not be evicted from the node if the toleration no longer matches the taint. If the parameter is set to zero (or negative), the Pod will be evicted immediately if the toleration no longer matches the taint.
    
    The default is: not set.
  - spec.tolerations.value
    string
    The value that the toleration must match.
    
    Must be empty if the operator parameter is set to Exists.
- spec.whitelistSourceRanges
  array of strings
  CIDRs that are allowed to authenticate. Authentication is allowed without IP address restrictions, If not specified.
  
  Example:
  whitelistSourceRanges: - 192.168.42.0/24
  - Element of the array
    string
    Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

spec
object
Required value
- spec.allowedGroups
  array of strings
  A list of groups whose members are allowed to connect to the client.
  
  By default, all groups can connect.
  
  Default: All groups are allowed.
- spec.applications
  array of objects
  Required value
  A list of applications for which user authentication is required.
  - spec.applications.domain
    string
    Required value
    An application domain (for Ingress resources) from which the user request will be redirected for authentication in Dex.
    
    Warning. Must be specified without HTTP scheme.
    
    Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  - spec.applications.ingressClassName
    string
    Required value
    The name of the Ingress class to be used in the Ingress resource (it must match the Ingress class name for the application domain).
    
    Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  - spec.applications.ingressSecretName
    string
    The name of the Secret containing the TLS certificate for the application domain (is used in the Ingress resource). The Secret must be located in the same namespace as the DexAuthenticator.
    
    Pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$
  - spec.applications.signOutURL
    string
    The URL of the application from which requests will be redirected to the sign-out URL of the dex-authenticator.
    
    It is used in the application to direct logout requests. A separate Ingress resource will be created for the specified URL, and requests to it will be redirected to dex-authenticator.
  - spec.applications.whitelistSourceRanges
    array of strings
    CIDRs that are allowed to authenticate. Authentication is allowed without IP address restrictions, if not specified.
    
    Example:
    whitelistSourceRanges: - 192.168.42.0/24
    - Element of the array
      string
      Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$
- spec.keepUsersLoggedInFor
  string
  User session will be kept for specified amount of time even if user will not log in.
  
  Specified with s, m or h suffix.
  
  Default: "168h"
- spec.nodeSelector
  object
  If specified, the dex-authenticator pods nodeSelector.
  
  Format: the standard nodeSelector list. Instance pods inherit this field as is.
- spec.sendAuthorizationHeader
  boolean
  Request to application will be sent with Authorization: Bearer header when the option is switched to true.
- spec.tolerations
  array of objects
  If specified the dex-authenticator pods tolerations.
  
  Format: the standard toleration list. Instance pods inherit this field as is.
  - spec.tolerations.effect
    string
    Defines the taint’s effect this toleration is associated with (it matches any effect if empty).
    
    Allowed values: NoSchedule, PreferNoSchedule, NoExecute
  - spec.tolerations.key
    string
    Defines the taint’s key this toleration is associated with (it matches any key if empty).
    
    If the key is omitted (emplty), then operator must be set to Exists (which means it matches any value and key).
  - spec.tolerations.operator
    string
    Defines how the key and its value are linked — whether the key must be Equal to the value or can have any value.
    
    Setting it to Exists is equivalent to the value having any value so that the pod with the specified toleration can match the corresponding taint.
    
    Default: "Equal"
    Allowed values: Exists, Equal
  - spec.tolerations.tolerationSeconds
    integer
    Specifies the period (in seconds) that the scheduler waits before evicting a Pod from a node if the toleration no longer matches the taint (only applicable to the NoExecute effect, otherwise ignored).
    
    If the parameter is not set, the Pod will not be evicted from the node if the toleration no longer matches the taint. If the parameter is set to zero (or negative), the Pod will be evicted immediately if the toleration no longer matches the taint.
    
    The default is: not set.
  - spec.tolerations.value
    string
    The value that the toleration must match.
    
    Must be empty if the operator parameter is set to Exists.

Deprecated resource. Support for the resource might be removed in a later release.

After the DexAuthenticator object appears in the namespace, the following objects will be created:

Deployment containing OAuth2-Proxy and Redis containers;
Service, pointing to OAuth2-Proxy;
Ingress resource, configured to receive requests on https://<applicationDomain>/dex-authenticator and send it to a service side;
Secrets, needed to access Dex.

Warning. After restarting a pod with an OAuth2-Proxy, the current Access Token and ID Token will be queried (using the refresh token) and stored in a Redis memory.

Example:

apiVersion: deckhouse.io/v1
kind: DexAuthenticator
metadata:
  name: app-name
  namespace: app-namespace
spec:
  applicationDomain: app-name.kube.my-domain.com
  sendAuthorizationHeader: false
  applicationIngressCertificateSecretName: ingress-tls
  applicationIngressClassName: nginx
  keepUsersLoggedInFor: 720h
  allowedGroups:
  - everyone
  - admins
  whitelistSourceRanges:
  - 1.1.1.1/32
  - 192.168.0.0/24
  additionalApplications:
  - domain: additional-app-name.kube.my-domain.com
    ingressSecretName: ingress-tls
    ingressClassName: nginx
    signOutURL: "/logout"
    whitelistSourceRanges:
    - 2.2.2.2/32

spec
object
Required value
- spec.additionalApplications
  array of objects
  A list of additional applications for which user authentication is required.
  - spec.additionalApplications.domain
    string
    Required value
    An application domain from which the user request will be redirected for authentication in Dex.
    
    Warning. Must be specified without HTTP scheme.
    
    Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  - spec.additionalApplications.ingressClassName
    string
    Required value
    The name of the Ingress class to be used in the Ingress resource (it must match the Ingress class name for the application domain).
    
    Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  - spec.additionalApplications.ingressSecretName
    string
    The name of the Secret containing the TLS certificate (from the domain) used in the applications Ingress resource. The Secret must be in the same namespace as DexAuthenticator.
    
    Pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$
  - spec.additionalApplications.signOutURL
    string
    The URL of the application from which requests will be redirected to the sign-out URL of the dex-authenticator.
    
    It is used in the application to direct logout requests. A separate Ingress resource will be created for the specified URL, and requests to it will be redirected to dex-authenticator.
  - spec.additionalApplications.whitelistSourceRanges
    array of strings
    CIDRs that are allowed to authenticate. Authentication is allowed without IP address restrictions, If not specified.
    
    Example:
    whitelistSourceRanges: - 192.168.42.0/24
    - Element of the array
      string
      Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$
- spec.allowedGroups
  array of strings
  A list of groups whose members are allowed to connect to the client.
  
  By default, all groups can connect.
  
  Default: All groups are allowed.
- spec.applicationDomain
  string
  Required value
  An address for the application (DNS domain for Ingress resource) from which the user request will be redirected for authentication in Dex.
  
  Warning. Must be specified without HTTP scheme.
  
  Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  Example:
  applicationDomain: my-app.domain.com
- spec.applicationIngressCertificateSecretName
  string
  The name of the Secret containing the TLS certificate for the application domain (is used in the Ingress resource). The Secret must be located in the same namespace as the DexAuthenticator.
  
  Pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$
  Example:
  applicationIngressCertificateSecretName: ingress-tls
- spec.applicationIngressClassName
  string
  Required value
  The name of the Ingress class to be used in the Ingress resource (it must match the Ingress class name for the application domain).
  
  Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  Example:
  applicationIngressClassName: nginx
- spec.keepUsersLoggedInFor
  string
  User session will be kept for specified amount of time even if user will not log in. Specified with s, m or h suffix.
  
  Default: "168h"
  Example:
  keepUsersLoggedInFor: 24h
- spec.nodeSelector
  object
  If specified, the dex-authenticator pods nodeSelector.
  
  Format: the standard nodeSelector list. Instance pods inherit this field as is.
- spec.sendAuthorizationHeader
  boolean
  Request to application will be sent with Authorization: Bearer header when the option is switched to true.
- spec.signOutURL
  string
  The URL of the application from which requests will be redirected to the sign-out URL of the dex-authenticator.
  
  It is used in the application to direct logout requests. A separate Ingress resource will be created for the specified URL, and requests to it will be redirected to dex-authenticator.
- spec.tolerations
  array of objects
  If specified the dex-authenticator pods tolerations.
  
  Format: the standard toleration list. Instance pods inherit this field as is.
  - spec.tolerations.effect
    string
    Defines the taint’s effect this toleration is associated with (it matches any effect if empty).
    
    Allowed values: NoSchedule, PreferNoSchedule, NoExecute
  - spec.tolerations.key
    string
    Defines the taint’s key this toleration is associated with (it matches any key if empty).
    
    If the key is omitted (emplty), then operator must be set to Exists (which means it matches any value and key).
  - spec.tolerations.operator
    string
    Defines how the key and its value are linked — whether the key must be Equal to the value or can have any value.
    
    Setting it to Exists is equivalent to the value having any value so that the pod with the specified toleration can match the corresponding taint.
    
    Default: "Equal"
    Allowed values: Exists, Equal
  - spec.tolerations.tolerationSeconds
    integer
    Specifies the period (in seconds) that the scheduler waits before evicting a Pod from a node if the toleration no longer matches the taint (only applicable to the NoExecute effect, otherwise ignored).
    
    If the parameter is not set, the Pod will not be evicted from the node if the toleration no longer matches the taint. If the parameter is set to zero (or negative), the Pod will be evicted immediately if the toleration no longer matches the taint.
    
    The default is: not set.
  - spec.tolerations.value
    string
    The value that the toleration must match.
    
    Must be empty if the operator parameter is set to Exists.
- spec.whitelistSourceRanges
  array of strings
  CIDRs that are allowed to authenticate. Authentication is allowed without IP address restrictions, If not specified.
  
  Example:
  whitelistSourceRanges: - 192.168.42.0/24
  - Element of the array
    string
    Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

DexClient

Scope: Namespaced

v1 v1alpha1

Allows applications that support DC authentication to interact with Dex.

After the DexClient object appears in the cluster:

Dex will register a client with a dex-client-<NAME>@<NAMESPACE> clientID, where <NAME> and <NAMESPACE> are metadata.name and metadata.namespace of the DexClient object, respectively.
A dex-client-<NAME> Secret containing the client access password (clientSecret) will be created in the corresponding namespace (where <NAME> is metadata.name of the DexClient object).

Usage example…

spec
object
Required value
- spec.allowedGroups
  array of strings
  A list of groups whose members are allowed to connect to the client; By default, all groups can connect.
- spec.redirectURIs
  array of strings
  Array or urls that Dex can redirect to after successful authentication.
- spec.trustedPeers
  array of strings
  OAuth2 client IDs that allowed cross authentication with the current client.
  
  Details…

Deprecated resource. Support for the resource might be removed in a later release.

Allows applications that support DC authentication to interact with Dex.

After the DexClient object appears in the cluster:

Dex will register a client with a dex-client-<NAME>@<NAMESPACE> clientID, where <NAME> and <NAMESPACE> are metadata.name and metadata.namespace of the DexClient object, respectively.
A dex-client-<NAME> Secret containing the client access password (clientSecret) will be created in the corresponding namespace (where <NAME> is metadata.name of the DexClient object).

Usage example…

spec
object
Required value
- spec.allowedGroups
  array of strings
  A list of groups whose members are allowed to connect to the client; By default, all groups can connect.
- spec.redirectURIs
  array of strings
  Array or urls that Dex can redirect to after successful authentication.
- spec.trustedPeers
  array of strings
  OAuth2 client IDs that allowed cross authentication with the current client.
  
  Details…

DexProvider

Scope: Cluster

v1 v1alpha1

Defines the configuration for connecting a third-party provider.

With it, you can flexibly configure the integration of the account directory with Kubernetes.

Usage example…

spec
object
Required value
- spec.bitbucketCloud
  object
  Parameters of the Bitbucket Cloud (intended for the type: BitbucketCloud).
  - spec.bitbucketCloud.clientID
    string
    Required value
    Team application ID from BitbucketCloud (Key).
  - spec.bitbucketCloud.clientSecret
    string
    Required value
    Team application secret key from BitbucketCloud.
  - spec.bitbucketCloud.includeTeamGroups
    boolean
    Optional parameter to include team groups.
    
    If enabled, the groups claim of Dex id_token will looks like this:
    
    ["my_team", "my_team/administrators", "my_team/members"]
    Default: false
  - spec.bitbucketCloud.teams
    array of strings
    A list of allowed Bitbucket Cloud teams (filter).
    
    The user token will contain a set intersection of Bitbucket Cloud teams and teams from this list. If the set is empty, the authorization will be considered unsuccessful.
    
    The user token will contain the user teams in the groups claim (similar to other providers).
- spec.crowd
  object
  Parameters of the Crowd (intended for the type: Crowd).
  - spec.crowd.baseURL
    string
    Required value
    Base part of Attlassian Crowd URL.
    
    Example:
    baseURL: https://crowd.example.com/crowd
  - spec.crowd.clientID
    string
    Required value
    Application ID from Atlassian Crowd (Application Name).
  - spec.crowd.clientSecret
    string
    Required value
    Application secret key from Atlassian Crowd (Password).
  - spec.crowd.enableBasicAuth
    boolean
    Enables basic authorization for the Kubernetes API server.
    
    The username and password of the user from the application created in Crowd are used as credentials for basic authorization (you can enable it only if there is just one provider of the OIDC/Crowd type). Works only if the publishAPI is enabled.
    
    Authorization and group data obtained from an IdP are stored in the cache for 10 seconds.
  - spec.crowd.groups
    array of strings
    A list of allowed Crowd groups (filter).
    
    The user token will contain a set intersection of Crowd groups and groups from this list. If the set is empty, the authorization will be considered unsuccessful.
    
    The user token will contain all Crowd groups if the parameter is not set.
  - spec.crowd.usernamePrompt
    string
    Prompt for username field.
    
    Default: "Crowd username"
- spec.displayName
  string
  Required value
  The provider name to show on the authentication provider selection page. The selection page will not be displayed if there is only one provider configured.
- spec.github
  object
  Parameters of the GitHub provider (intended for the type: Github case only).
  - spec.github.clientID
    string
    Required value
    Organization application ID from GitHub.
  - spec.github.clientSecret
    string
    Required value
    Organization application secret key from GitHub.
  - spec.github.orgs
    array of objects
    Filter for user organizations. ID token will contain only organizations from this list. If the user is not in any organization from this list, an authorization will fail.
    
    By default, all organizations allowed.
    - spec.github.orgs.name
      string
      Required value
      Name of organization.
    - spec.github.orgs.teams
      array of strings
      A list of allowed GitHub teams (filter).
      
      The user token will contain a set intersection of teams from GitHub and teams from this list. If the set is empty, the authorization will be considered unsuccessful.
      
      The user token will contain all GitHub teams if the parameter is not set.
  - spec.github.teamNameField
    string
    As an example, group claims for member of ‘Site Reliability Engineers’ in Acme organization would yield:
    
    [‘acme:Site Reliability Engineers’] for ‘Name’
    
    [‘acme:site-reliability-engineers’] for ‘Slug’
    
    [‘acme:Site Reliability Engineers’, ‘acme:site-reliability-engineers’] for ‘Both’
    
    ‘name’ will be used by default.
    Default: "Name"
    Allowed values: Name, Slug, Both
  - spec.github.useLoginAsID
    boolean
    Flag which will switch from using the internal GitHub id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.
    
    Equals to false by default.
- spec.gitlab
  object
  Parameters of the GitLab provider (intended for the type: Gitlab case only).
  - spec.gitlab.baseURL
    string
    Base part of GitLab URL.
    
    Example:
    baseURL: https://gitlab.example.com
  - spec.gitlab.clientID
    string
    Required value
    Application ID from GitLab.
  - spec.gitlab.clientSecret
    string
    Required value
    Application secret key from GitLab.
  - spec.gitlab.groups
    array of strings
    A list (filter) of allowed GitLab groups (group paths and not names).
    
    The user token will contain a set intersection of GitLab groups and groups from this list. If the set is empty, the authorization will be considered unsuccessful.
    
    The user token will contain all GitLab groups if the parameter is not set;
  - spec.gitlab.useLoginAsID
    boolean
    Flag to switch from using the internal GitLab id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.
    
    Equals to false by default.
- spec.ldap
  object
  Parameters of the LDAP.
  - spec.ldap.bindDN
    string
    The DN for an application service account. The connector uses these credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth.
    
    Example:
    bindDN: uid=serviceaccount,cn=users,dc=example,dc=com
  - spec.ldap.bindPW
    string
    Password for read-only service account. Please note that if the bind password contains a $, it has to be saved in an environment variable which should be given as the value to bindPW.
    
    Example:
    bindPW: password
  - spec.ldap.groupSearch
    object
    Group search queries for groups given a user entry. Details
    - spec.ldap.groupSearch.baseDN
      string
      Required value
      BaseDN to start the search from.
      
      Example:
      baseDN: cn=users,dc=example,dc=com
    - spec.ldap.groupSearch.filter
      string
      Optional filter to apply when searching the directory.
      
      Example:
      filter: "(objectClass=person)"
    - spec.ldap.groupSearch.nameAttr
      string
      Required value
      Represents group name.
      
      Example:
      nameAttr: name
    - spec.ldap.groupSearch.userMatchers
      array of objects
      Required value
      Following list contains field pairs that are used to match a user to a group. It adds a requirement to the filter that an attribute in the group must match the user’s attribute value.
      - spec.ldap.groupSearch.userMatchers.groupAttr
        string
        Required value
        The name of the attribute that stores the group member names.
        
        Example:
        groupAttr: member
      - spec.ldap.groupSearch.userMatchers.userAttr
        string
        Required value
        The name of the attribute that stores the user name.
        
        Example:
        userAttr: uid
  - spec.ldap.host
    string
    Required value
    Host and optional port of the LDAP server in the form “host:port”. If the port is not supplied, it will be guessed based on “insecureNoSSL”, and “startTLS” flags. 389 for insecure or StartTLS connections, 636 otherwise.
    
    Example:
    host: ldap.example.com:636
  - spec.ldap.insecureNoSSL
    boolean
    Following field is required if the LDAP host is not using TLS (port 389). This option inherently leaks passwords to anyone on the same network as Dex. Equals to false by default.
    
    Default: false
  - spec.ldap.insecureSkipVerify
    boolean
    If a custom certificate isn’t provided, this option can be used to turn off TLS certificate checks. As noted, it is insecure and shouldn’t be used outside of explorative phases.
    
    Default: false
  - spec.ldap.rootCAData
    string
    A CA chain to validate the provider in PEM format.
    
    Example:
    rootCAData: | -----BEGIN CERTIFICATE----- MIIFaDC... -----END CERTIFICATE-----
  - spec.ldap.startTLS
    boolean
    When connecting to the server, connect using the ldap:// protocol then issue a StartTLS command. If unspecified, connections will use the ldaps:// protocol
    
    Default: false
  - spec.ldap.userSearch
    object
    Required value
    User search maps a username and password entered by a user to a LDAP entry. Details…
    - spec.ldap.userSearch.baseDN
      string
      Required value
      BaseDN to start the search from.
      
      Example:
      baseDN: cn=users,dc=example,dc=com
    - spec.ldap.userSearch.emailAttr
      string
      Required value
      LDAP attribute that will be matched to Dex user email entry. When an email address is not available, use another value unique to the user, like uid.
      
      Example:
      emailAttr: mail
    - spec.ldap.userSearch.filter
      string
      Optional filter to apply when searching the directory.
      
      Example:
      filter: "(objectClass=person)"
    - spec.ldap.userSearch.idAttr
      string
      Required value
      LDAP attribute that will be matched to Dex user id entry.
      
      Example:
      idAttr: uid
    - spec.ldap.userSearch.nameAttr
      string
      LDAP attribute that will be matched to Dex user name entry. No default value provided.
      
      Example:
      nameAttr: name
    - spec.ldap.userSearch.username
      string
      Required value
      Username attribute used for comparing user entries. This will be translated and combined with the other filter as “(=)".
      
      Example:
      username: uid
  - spec.ldap.usernamePrompt
    string
    The attribute to display in the provided password prompt. If unset, will display “LDAP Username”.
    
    Default: "LDAP username"
    Example:
    usernamePrompt: SSO Username
- spec.oidc
  object
  Parameters of the OIDC (intended for the type: OIDC).
  - spec.oidc.basicAuthUnsupported
    boolean
    Use POST requests to interact with the provider instead of including the token in the Basic Authorization header. Generally, Dex automatically determines the type of request to make, while in some cases enabling this parameter can help.
    
    Default: false
  - spec.oidc.claimMapping
    object
    Some providers return non-standard claims (eg. mail). Claim mappings are hints for Dex how to map claims to standard OIDC claims.
    
    Dex can only map a non-standard claim to a standard one if it’s not included in the id_token returned by OIDC provider.
    - spec.oidc.claimMapping.email
      string
      The claim to use as the user email.
      
      Default: "email"
    - spec.oidc.claimMapping.groups
      string
      The claim to use as the user groups.
      
      Default: "groups"
    - spec.oidc.claimMapping.preferred_username
      string
      The claim to use as the user preferred username.
      
      Default: "preferred_username"
  - spec.oidc.claimMappingOverride
    boolean
    If enabled, the claim mapping will override the standard OIDC claims.
    
    By default, the claim mapping will be used only if the standard OIDC claims are not present, e.g., if there is no email claim in the id_token, the claimMapping.email will be used.
    
    Default: false
  - spec.oidc.clientID
    string
    Required value
    OIDC issuer application ID.
  - spec.oidc.clientSecret
    string
    Required value
    OIDC issuer application secret key.
  - spec.oidc.enableBasicAuth
    boolean
    Enables basic authorization for the Kubernetes API server.
    
    The username and password of the user from the application created in OIDC are used as credentials for basic authorization (you can enable it only if there is just one provider of the OIDC/Crowd type). Works only if the publishAPI parameter is enabled.
    
    Authorization and group data obtained from an IdP are stored in the cache for 10 seconds.
  - spec.oidc.getUserInfo
    boolean
    Request additional info about the authenticated user.
    
    Learn more here…
    
    Default: false
  - spec.oidc.insecureSkipEmailVerified
    boolean
    Allow authentication for clients without verified email address.
    
    Default: false
  - spec.oidc.insecureSkipVerify
    boolean
    If a custom certificate isn’t provided, this option can be used to turn off TLS certificate checks. As noted, it is insecure and shouldn’t be used outside of explorative phases.
    
    Default: false
  - spec.oidc.issuer
    string
    Required value
    Canonical URL of the provider, also used for configuration discovery. This value MUST match the value returned in the provider config discovery.
    
    Example:
    issuer: https://accounts.google.com
  - spec.oidc.promptType
    string
    Determines if the Issuer should ask for confirmation and provide hints during the authentication process.
    
    By default, the confirmation will be requested on the first authentication. Possible values may vary depending on the Issuer.
    
    Default: "consent"
  - spec.oidc.rootCAData
    string
    A CA chain to validate the provider in PEM format.
    
    Example:
    rootCAData: | -----BEGIN CERTIFICATE----- MIIFaDC... -----END CERTIFICATE-----
  - spec.oidc.scopes
    array of strings
    List of additional scopes to request in token response.
    
    Default: ["openid","profile","email","groups","offline_access"]
  - spec.oidc.userIDKey
    string
    The claim to use as the user id.
    
    Default: "sub"
  - spec.oidc.userNameKey
    string
    The claim to use as the user name.
    
    Default: "name"
- spec.type
  string
  Required value
  Type of authentication provider.
  
  Allowed values: Github, Gitlab, BitbucketCloud, Crowd, OIDC, LDAP

Deprecated resource. Support for the resource might be removed in a later release.

Defines the configuration for connecting a third-party provider.

With it, you can flexibly configure the integration of the account directory with Kubernetes.

Usage example…

spec
object
Required value
- spec.bitbucketCloud
  object
  Parameters of the Bitbucket Cloud (intended for the type: BitbucketCloud).
  - spec.bitbucketCloud.clientID
    string
    Required value
    Team application ID from BitbucketCloud (Key).
  - spec.bitbucketCloud.clientSecret
    string
    Required value
    Team application secret key from BitbucketCloud.
  - spec.bitbucketCloud.includeTeamGroups
    boolean
    Optional parameter to include team groups.
    
    If enabled, the groups claim of Dex id_token will looks like this:
    
    ["my_team", "my_team/administrators", "my_team/members"]
    Default: false
  - spec.bitbucketCloud.teams
    array of strings
    A list of allowed Bitbucket Cloud teams (filter).
    
    The user token will contain a set intersection of Bitbucket Cloud teams and teams from this list. If the set is empty, the authorization will be considered unsuccessful.
    
    The user token will contain the user teams in the groups claim (similar to other providers).
- spec.crowd
  object
  Parameters of the Crowd (intended for the type: Crowd).
  - spec.crowd.baseURL
    string
    Required value
    Base part of Attlassian Crowd URL.
    
    Example:
    baseURL: https://crowd.example.com/crowd
  - spec.crowd.clientID
    string
    Required value
    Application ID from Atlassian Crowd (Application Name).
  - spec.crowd.clientSecret
    string
    Required value
    Application secret key from Atlassian Crowd (Password).
  - spec.crowd.enableBasicAuth
    boolean
    Enables basic authorization for the Kubernetes API server.
    
    The username and password of the user from the application created in Crowd are used as credentials for basic authorization (you can enable it only if there is just one provider of the OIDC/Crowd type). Works only if the publishAPI is enabled.
    
    Authorization and group data obtained from an IdP are stored in the cache for 10 seconds.
  - spec.crowd.groups
    array of strings
    A list of allowed Crowd groups (filter).
    
    The user token will contain a set intersection of Crowd groups and groups from this list. If the set is empty, the authorization will be considered unsuccessful.
    
    The user token will contain all Crowd groups if the parameter is not set.
  - spec.crowd.usernamePrompt
    string
    Prompt for username field.
    
    Default: "Crowd username"
- spec.displayName
  string
  Required value
  The provider name to show on the authentication provider selection page. The selection page will not be displayed if there is only one provider configured.
- spec.github
  object
  Parameters of the GitHub provider (intended for the type: Github case only).
  - spec.github.clientID
    string
    Required value
    Organization application ID from GitHub.
  - spec.github.clientSecret
    string
    Required value
    Organization application secret key from GitHub.
  - spec.github.orgs
    array of objects
    Filter for user organizations. ID token will contain only organizations from this list. If the user is not in any organization from this list, an authorization will fail.
    
    By default, all organizations allowed.
    - spec.github.orgs.name
      string
      Required value
      Name of organization.
    - spec.github.orgs.teams
      array of strings
      A list of allowed GitHub teams (filter).
      
      The user token will contain a set intersection of teams from GitHub and teams from this list. If the set is empty, the authorization will be considered unsuccessful.
      
      The user token will contain all GitHub teams if the parameter is not set.
  - spec.github.teamNameField
    string
    As an example, group claims for member of ‘Site Reliability Engineers’ in Acme organization would yield:
    
    [‘acme:Site Reliability Engineers’] for ‘name’
    
    [‘acme:site-reliability-engineers’] for ‘slug’
    
    [‘acme:Site Reliability Engineers’, ‘acme:site-reliability-engineers’] for ‘both’
    
    ‘name’ will be used by default.
    Default: "name"
    Allowed values: name, slug, both
  - spec.github.useLoginAsID
    boolean
    Flag which will switch from using the internal GitHub id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.
    
    Equals to false by default.
- spec.gitlab
  object
  Parameters of the GitLab provider (intended for the type: Gitlab case only).
  - spec.gitlab.baseURL
    string
    Base part of GitLab URL.
    
    Example:
    baseURL: https://gitlab.example.com
  - spec.gitlab.clientID
    string
    Required value
    Application ID from GitLab.
  - spec.gitlab.clientSecret
    string
    Required value
    Application secret key from GitLab.
  - spec.gitlab.groups
    array of strings
    A list (filter) of allowed GitLab groups (group paths and not names).
    
    The user token will contain a set intersection of GitLab groups and groups from this list. If the set is empty, the authorization will be considered unsuccessful.
    
    The user token will contain all GitLab groups if the parameter is not set;
  - spec.gitlab.useLoginAsID
    boolean
    Flag to switch from using the internal GitLab id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.
    
    Equals to false by default.
- spec.ldap
  object
  Parameters of the LDAP.
  - spec.ldap.bindDN
    string
    The DN for an application service account. The connector uses these credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth.
    
    Example:
    bindDN: uid=serviceaccount,cn=users,dc=example,dc=com
  - spec.ldap.bindPW
    string
    Password for read-only service account. Please note that if the bind password contains a $, it has to be saved in an environment variable which should be given as the value to bindPW.
    
    Example:
    bindPW: password
  - spec.ldap.groupSearch
    object
    Group search queries for groups given a user entry. Details
    - spec.ldap.groupSearch.baseDN
      string
      Required value
      BaseDN to start the search from.
      
      Example:
      baseDN: cn=users,dc=example,dc=com
    - spec.ldap.groupSearch.filter
      string
      Optional filter to apply when searching the directory.
      
      Example:
      filter: "(objectClass=person)"
    - spec.ldap.groupSearch.nameAttr
      string
      Required value
      Represents group name.
      
      Example:
      nameAttr: name
    - spec.ldap.groupSearch.userMatchers
      array of objects
      Required value
      Following list contains field pairs that are used to match a user to a group. It adds a requirement to the filter that an attribute in the group must match the user’s attribute value.
      - spec.ldap.groupSearch.userMatchers.groupAttr
        string
        Required value
        The name of the attribute that stores the group member names.
        
        Example:
        groupAttr: member
      - spec.ldap.groupSearch.userMatchers.userAttr
        string
        Required value
        The name of the attribute that stores the user name.
        
        Example:
        userAttr: uid
  - spec.ldap.host
    string
    Required value
    Host and optional port of the LDAP server in the form “host:port”. If the port is not supplied, it will be guessed based on “insecureNoSSL”, and “startTLS” flags. 389 for insecure or StartTLS connections, 636 otherwise.
    
    Example:
    host: ldap.example.com:636
  - spec.ldap.insecureNoSSL
    boolean
    Following field is required if the LDAP host is not using TLS (port 389). This option inherently leaks passwords to anyone on the same network as Dex. Equals to false by default.
    
    Default: false
  - spec.ldap.insecureSkipVerify
    boolean
    If a custom certificate isn’t provided, this option can be used to turn off TLS certificate checks. As noted, it is insecure and shouldn’t be used outside of explorative phases.
    
    Default: false
  - spec.ldap.rootCAData
    string
    A CA chain to validate the provider in PEM format.
    
    Example:
    rootCAData: | -----BEGIN CERTIFICATE----- MIIFaDC... -----END CERTIFICATE-----
  - spec.ldap.startTLS
    boolean
    When connecting to the server, connect using the ldap:// protocol then issue a StartTLS command. If unspecified, connections will use the ldaps:// protocol
    
    Default: false
  - spec.ldap.userSearch
    object
    Required value
    User search maps a username and password entered by a user to a LDAP entry. Details…
    - spec.ldap.userSearch.baseDN
      string
      Required value
      BaseDN to start the search from.
      
      Example:
      baseDN: cn=users,dc=example,dc=com
    - spec.ldap.userSearch.emailAttr
      string
      Required value
      LDAP attribute that will be matched to Dex user email entry. When an email address is not available, use another value unique to the user, like uid.
      
      Example:
      emailAttr: mail
    - spec.ldap.userSearch.filter
      string
      Optional filter to apply when searching the directory.
      
      Example:
      filter: "(objectClass=person)"
    - spec.ldap.userSearch.idAttr
      string
      Required value
      LDAP attribute that will be matched to Dex user id entry.
      
      Example:
      idAttr: uid
    - spec.ldap.userSearch.nameAttr
      string
      LDAP attribute that will be matched to Dex user name entry. No default value provided.
      
      Example:
      nameAttr: name
    - spec.ldap.userSearch.username
      string
      Required value
      Username attribute used for comparing user entries. This will be translated and combined with the other filter as “(=)".
      
      Example:
      username: uid
  - spec.ldap.usernamePrompt
    string
    The attribute to display in the provided password prompt. If unset, will display “LDAP Username”.
    
    Default: "LDAP username"
    Example:
    usernamePrompt: SSO Username
- spec.oidc
  object
  Parameters of the OIDC (intended for the type: OIDC).
  - spec.oidc.basicAuthUnsupported
    boolean
    Use POST requests to interact with the provider instead of including the token in the Basic Authorization header. Generally, Dex automatically determines the type of request to make, while in some cases enabling this parameter can help.
    
    Default: false
  - spec.oidc.claimMapping
    object
    Some providers return non-standard claims (eg. mail). Claim mappings are hints for Dex how to map claims to standard OIDC claims.
    
    Dex can only map a non-standard claim to a standard one if it’s not included in the id_token returned by OIDC provider.
    - spec.oidc.claimMapping.email
      string
      The claim to use as the user email.
      
      Default: "email"
    - spec.oidc.claimMapping.groups
      string
      The claim to use as the user groups.
      
      Default: "groups"
    - spec.oidc.claimMapping.preferred_username
      string
      The claim to use as the user preferred username.
      
      Default: "preferred_username"
  - spec.oidc.claimMappingOverride
    boolean
    If enabled, the claim mapping will override the standard OIDC claims.
    
    By default, the claim mapping will be used only if the standard OIDC claims are not present, e.g., if there is no email claim in the id_token, the claimMapping.email will be used.
    
    Default: false
  - spec.oidc.clientID
    string
    Required value
    OIDC issuer application ID.
  - spec.oidc.clientSecret
    string
    Required value
    OIDC issuer application secret key.
  - spec.oidc.enableBasicAuth
    boolean
    Enables basic authorization for the Kubernetes API server.
    
    The username and password of the user from the application created in OIDC are used as credentials for basic authorization (you can enable it only if there is just one provider of the OIDC/Crowd type). Works only if the publishAPI parameter is enabled.
    
    Authorization and group data obtained from an IdP are stored in the cache for 10 seconds.
  - spec.oidc.getUserInfo
    boolean
    Request additional info about the authenticated user.
    
    Learn more here…
    
    Default: false
  - spec.oidc.insecureSkipEmailVerified
    boolean
    Allow authentication for clients without verified email address.
    
    Default: false
  - spec.oidc.insecureSkipVerify
    boolean
    If a custom certificate isn’t provided, this option can be used to turn off TLS certificate checks. As noted, it is insecure and shouldn’t be used outside of explorative phases.
    
    Default: false
  - spec.oidc.issuer
    string
    Required value
    Canonical URL of the provider, also used for configuration discovery. This value MUST match the value returned in the provider config discovery.
    
    Example:
    issuer: https://accounts.google.com
  - spec.oidc.promptType
    string
    Determines if the Issuer should ask for confirmation and provide hints during the authentication process.
    
    By default, the confirmation will be requested on the first authentication. Possible values may vary depending on the Issuer.
    
    Default: "consent"
  - spec.oidc.rootCAData
    string
    A CA chain to validate the provider in PEM format.
    
    Example:
    rootCAData: | -----BEGIN CERTIFICATE----- MIIFaDC... -----END CERTIFICATE-----
  - spec.oidc.scopes
    array of strings
    List of additional scopes to request in token response.
    
    Default: ["openid","profile","email","groups","offline_access"]
  - spec.oidc.userIDKey
    string
    The claim to use as the user id.
    
    Default: "sub"
  - spec.oidc.userNameKey
    string
    The claim to use as the user name.
    
    Default: "name"
- spec.type
  string
  Required value
  Type of authentication provider.
  
  Allowed values: Github, Gitlab, BitbucketCloud, Crowd, OIDC, LDAP

Group

Scope: Cluster
Version: v1alpha1

Contains information about a user group.

spec
object
Required value
- spec.members
  array of objects
  Required value
  List of group members.
  - spec.members.kind
    string
    Required value
    Type of a group member.
    
    Allowed values: User, Group
  - spec.members.name
    string
    Required value
    User or group name.
- spec.name
  string
  Required value
  Unique group name.
- spec.status
  object
  - spec.status.errors
    array of objects
    - spec.status.errors.message
      string
    - spec.status.errors.objectRef
      object
      - spec.status.errors.objectRef.kind
        string
        Allowed values: User, Group
      - spec.status.errors.objectRef.name
        string

User

Scope: Cluster

v1 v1alpha1

Contains information about the static user.

Usage example…

spec
object
Required value
- spec.email
  string
  Required value
  User email.
  
  Caution! Note that if used together with the user-authz module, you must specify an email to grant rights to the specific user as the user name in the ClusterAuthorizationRule CR.
  
  Example:
  email: user@domain.com
- spec.groups
  Deprecated
  array of strings
  Static user groups.
  
  Since the parameter has been deprecated, use the Group resource to add users to groups.
- spec.password
  string
  Required value
  User password hash in plaintext or Base64 encoded.
  
  Use the following command to encode the password hash in Base64: echo "<PASSWORD>" | htpasswd -BinC 10 "" | cut -d: -f2 | base64 -w0. Alternatively, you can use an online service (such as https://bcrypt-generator.com/).
  
  Example:
  password: JDJ5JDEwJE9HN1lOOUhnOXU5NmY2cGp4R3NIcS56NWQuOVQxQ0VrdWIud3BRdVJ5Sy5QQU5INlpKNDguCgo=
- spec.ttl
  string
  Static user TTL.
  
  It is specified as a string containing the time unit in hours and minutes: 30m, 1h, 2h30m, 24h.
  
  You can only set the TTL once. The expireAt date will not be updated if you change it again.
  
  Pattern: ^([0-9]+h([0-9]+m)?|[0-9]+m)$
  Example:
  ttl: 24h
- spec.userID
  Deprecated
  string
  Unique issuer user ID. It equals to .metadata.name.
  
  Deprecated and shouldn’t be set manually.

Deprecated resource. Support for the resource might be removed in a later release.

Contains information about the static user.

Usage example…

spec
object
Required value
- spec.email
  string
  Required value
  User email.
  
  Caution! Note that if used together with the user-authz module, you must specify an email to grant rights to the specific user as the user name in the ClusterAuthorizationRule CR.
  
  Example:
  email: user@domain.com
- spec.groups
  Deprecated
  array of strings
  Static user groups.
  
  Since the parameter has been deprecated, use the Group resource to add users to groups.
- spec.password
  string
  Required value
  User password hash in plaintext or Base64 encoded.
  
  Use the following command to encode the password hash in Base64: echo "<PASSWORD>" | htpasswd -BinC 10 "" | cut -d: -f2 | base64 -w0. Alternatively, you can use an online service (such as https://bcrypt-generator.com/).
  
  Example:
  password: JDJ5JDEwJE9HN1lOOUhnOXU5NmY2cGp4R3NIcS56NWQuOVQxQ0VrdWIud3BRdVJ5Sy5QQU5INlpKNDguCgo=
- spec.ttl
  string
  Static user TTL.
  
  It is specified as a string containing the time unit in hours and minutes: 30m, 1h, 2h30m, 24h.
  
  You can only set the TTL once. The expireAt date will not be updated if you change it again.
  
  Pattern: ^([0-9]+h([0-9]+m)?|[0-9]+m)$
  Example:
  ttl: 24h
- spec.userID
  string
  Unique issuer user ID. It equals to .metadata.name by default.
  
  Example:
  userID: '08a8684b-db88-4b73-90a9-3cd1661f5466'

The user-authn module: Custom Resources

DexAuthenticator

DexClient

DexProvider

Group

User

Request trial access

Thank you

Error

Request callback

Thank you

Something went wrong

Book your sessions

Thank you

Error

Request demo

Thank you

Error

Get the PCI SSC Compliance Report

Thank you

Error