mirror of
https://github.com/kubeshark/kubeshark.git
synced 2026-07-13 10:29:54 +00:00
auth: drop AUTH_ROLES; add AUTH_GROUP_MAPPING + built-in defaultRole
Companion to kubeshark/hub#permissions-refactoring. Aligns the CLI
config struct, chart values, and rendered ConfigMap with the
post-refactor hub.
config/configStructs/tapConfig.go:
- Drop AuthConfig.Roles (admin-authored map[string]Role) and the
Role + ScriptingPermissions structs they referenced.
- Drop AuthConfig.DefaultFilter (no namespace scoping in v1).
- Add AuthConfig.GroupMapping (map[string]string) — SSO group name
→ built-in role translation.
- Tighten DefaultRole godoc to reference the four built-in role
constants (kubeshark-admin / kubeshark-realtime /
kubeshark-snapshot / kubeshark-viewer) and the strict-deny
semantics on empty.
config/configStruct.go:
- Drop the legacy "admin" entry from the AuthConfig default —
operators now configure DefaultRole + GroupMapping instead.
- Default RolesClaim is now "groups" (Okta/OIDC convention; was
"role"), matching the hub's runtime default.
helm-chart/templates/12-config-map.yaml:
- Drop AUTH_ROLES emission (key no longer read by hub).
- Add AUTH_GROUP_MAPPING emission from tap.auth.groupMapping (JSON
map; hub validates each value against the built-in role names at
sync time).
helm-chart/values.yaml: regenerated from the Go config — drops the
tap.auth.roles block, adds tap.auth.groupMapping with the new
documentation header for DefaultRole.
Breaking change: deployments carrying tap.auth.roles in their values
will silently lose those role definitions. Migration is to remove the
roles: block and either (a) name their SSO groups to match the four
built-in role constants, or (b) populate tap.auth.groupMapping with
explicit translations.
This commit is contained in:
@@ -102,23 +102,8 @@ func CreateDefaultConfig() ConfigStruct {
|
||||
},
|
||||
},
|
||||
Auth: configStructs.AuthConfig{
|
||||
RolesClaim: "role",
|
||||
Roles: map[string]configStructs.Role{
|
||||
"admin": {
|
||||
Filter: "",
|
||||
CanDownloadPCAP: true,
|
||||
CanUseScripting: true,
|
||||
ScriptingPermissions: configStructs.ScriptingPermissions{
|
||||
CanSave: true,
|
||||
CanActivate: true,
|
||||
CanDelete: true,
|
||||
},
|
||||
CanUpdateTargetedPods: true,
|
||||
CanStopTrafficCapturing: true,
|
||||
CanControlDissection: true,
|
||||
ShowAdminConsoleLink: true,
|
||||
},
|
||||
},
|
||||
RolesClaim: "groups",
|
||||
GroupMapping: map[string]string{},
|
||||
},
|
||||
EnabledDissectors: []string{
|
||||
"amqp",
|
||||
|
||||
@@ -155,23 +155,6 @@ type ProbeConfig struct {
|
||||
FailureThreshold int `yaml:"failureThreshold" json:"failureThreshold" default:"3"`
|
||||
}
|
||||
|
||||
type ScriptingPermissions struct {
|
||||
CanSave bool `yaml:"canSave" json:"canSave" default:"true"`
|
||||
CanActivate bool `yaml:"canActivate" json:"canActivate" default:"true"`
|
||||
CanDelete bool `yaml:"canDelete" json:"canDelete" default:"true"`
|
||||
}
|
||||
|
||||
type Role struct {
|
||||
Filter string `yaml:"filter" json:"filter" default:""`
|
||||
CanDownloadPCAP bool `yaml:"canDownloadPCAP" json:"canDownloadPCAP" default:"false"`
|
||||
CanUseScripting bool `yaml:"canUseScripting" json:"canUseScripting" default:"false"`
|
||||
ScriptingPermissions ScriptingPermissions `yaml:"scriptingPermissions" json:"scriptingPermissions"`
|
||||
CanUpdateTargetedPods bool `yaml:"canUpdateTargetedPods" json:"canUpdateTargetedPods" default:"false"`
|
||||
CanStopTrafficCapturing bool `yaml:"canStopTrafficCapturing" json:"canStopTrafficCapturing" default:"false"`
|
||||
CanControlDissection bool `yaml:"canControlDissection" json:"canControlDissection" default:"false"`
|
||||
ShowAdminConsoleLink bool `yaml:"showAdminConsoleLink" json:"showAdminConsoleLink" default:"false"`
|
||||
}
|
||||
|
||||
type SamlConfig struct {
|
||||
IdpMetadataUrl string `yaml:"idpMetadataUrl" json:"idpMetadataUrl"`
|
||||
X509crt string `yaml:"x509crt" json:"x509crt"`
|
||||
@@ -190,12 +173,21 @@ type AuthConfig struct {
|
||||
// NOTE: prior releases routed `oidc` to Descope. If you were using `oidc`
|
||||
// to mean Descope, switch to `descope` (or `default`). The rename is a
|
||||
// breaking change documented in the release notes.
|
||||
Type string `yaml:"type" json:"type" default:"saml"`
|
||||
Roles map[string]Role `yaml:"roles" json:"roles"`
|
||||
RolesClaim string `yaml:"rolesClaim" json:"rolesClaim"`
|
||||
DefaultRole string `yaml:"defaultRole" json:"defaultRole"`
|
||||
DefaultFilter string `yaml:"defaultFilter" json:"defaultFilter"`
|
||||
Saml SamlConfig `yaml:"saml" json:"saml"`
|
||||
Type string `yaml:"type" json:"type" default:"saml"`
|
||||
RolesClaim string `yaml:"rolesClaim" json:"rolesClaim"`
|
||||
// DefaultRole is applied when the authenticated user's SSO claim has no
|
||||
// recognized group. Must be one of the four built-in roles
|
||||
// (kubeshark-admin / kubeshark-realtime / kubeshark-snapshot /
|
||||
// kubeshark-viewer) or empty for strict-deny. See hub plans/
|
||||
// permissions-refactoring.md for the capability matrix per role.
|
||||
DefaultRole string `yaml:"defaultRole" json:"defaultRole"`
|
||||
// GroupMapping translates SSO group names into built-in role names.
|
||||
// Optional — groups whose name already matches a built-in role are
|
||||
// identity-matched and don't need an entry here. Use this map when SSO
|
||||
// groups are named differently from the built-in roles (e.g. an existing
|
||||
// AD group "engineering-leads" that should resolve to kubeshark-admin).
|
||||
GroupMapping map[string]string `yaml:"groupMapping" json:"groupMapping"`
|
||||
Saml SamlConfig `yaml:"saml" json:"saml"`
|
||||
}
|
||||
|
||||
type IngressConfig struct {
|
||||
|
||||
@@ -29,9 +29,9 @@ data:
|
||||
{{ (default false .Values.demoModeEnabled) | ternary "default" .Values.tap.auth.type }}
|
||||
{{- end }}'
|
||||
AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}'
|
||||
AUTH_ROLES: '{{ .Values.tap.auth.roles | toJson }}'
|
||||
AUTH_ROLES_CLAIM: '{{ .Values.tap.auth.rolesClaim }}'
|
||||
AUTH_DEFAULT_ROLE: '{{ default "" .Values.tap.auth.defaultRole }}'
|
||||
AUTH_GROUP_MAPPING: '{{ default (dict) .Values.tap.auth.groupMapping | toJson }}'
|
||||
AUTH_OIDC_ISSUER: '{{ default "not set" (((.Values.tap).auth).oidc).issuer }}'
|
||||
AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '{{ default "3960h" (((.Values.tap).auth).oidc).refreshTokenLifetime }}'
|
||||
AUTH_OIDC_STATE_PARAM_EXPIRY: '{{ default "10m" (((.Values.tap).auth).oidc).oauth2StateParamExpiry }}'
|
||||
|
||||
@@ -152,40 +152,10 @@ tap:
|
||||
front: []
|
||||
auth:
|
||||
enabled: false
|
||||
# Valid values: saml, oidc (generic OIDC — Dex, Okta, Auth0, Keycloak,
|
||||
# Azure AD, Google, …), dex (permanent alias of oidc), descope, default
|
||||
# (also Descope). Was previously misnamed: prior releases routed `oidc`
|
||||
# to Descope. See release notes for migration.
|
||||
type: saml
|
||||
# Name of the JWT claim (OIDC) or SAML attribute carrying role memberships.
|
||||
rolesClaim: role
|
||||
# Optional: role name inside `roles` applied as a fallback when an
|
||||
# authenticated user has no matching role in their token/assertion.
|
||||
# Empty string means no fallback (authenticated but no elevated permissions).
|
||||
rolesClaim: groups
|
||||
defaultRole: ""
|
||||
# Backend-neutral role map shared by SAML and OIDC. Empty/unset grants
|
||||
# nothing — admins opt into elevated access by populating this map.
|
||||
#
|
||||
# Per-role `namespaces` controls which Kubernetes namespaces the role's
|
||||
# users are allowed to see traffic for. Comma-separated list:
|
||||
# "" — deny all (explicit deny-default for this role).
|
||||
# "*" — allow every namespace (no scope filter applied).
|
||||
# "foo" — only the literal namespace "foo" (src or dst).
|
||||
# "foo,bar" — OR over both literal namespaces.
|
||||
# "foo-*" — glob expansion against the cluster's known namespaces.
|
||||
roles:
|
||||
admin:
|
||||
namespaces: "*"
|
||||
canDownloadPCAP: true
|
||||
canUseScripting: true
|
||||
scriptingPermissions:
|
||||
canSave: true
|
||||
canActivate: true
|
||||
canDelete: true
|
||||
canUpdateTargetedPods: true
|
||||
canStopTrafficCapturing: true
|
||||
canControlDissection: true
|
||||
showAdminConsoleLink: true
|
||||
groupMapping: {}
|
||||
saml:
|
||||
idpMetadataUrl: ""
|
||||
x509crt: ""
|
||||
|
||||
Reference in New Issue
Block a user