Kubernetes:应用程序的 SAML

Question

对于部署在 Kubernetes 中的应用程序，是否有任何关于 SAML 集成的建议指导文档？我的搜索 foo 正在抛弃我。

大多数文档适用于 Kubernetes 本身，而不是应用程序。应用程序不会意识到 Kubernetes RBAC 等。

Answer 1

在 official documentation您可以找到以下部分:

Kubernetes uses client certificates, bearer tokens, or an authenticating proxy to authenticate API requests through authentication plugins. As HTTP requests are made to the API server, plugins attempt to associate the following attributes with the request:

• Username: a string which identifies the end user. Common values might be kube-admin or <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e78d868982a7829f868a978b82c984888a" rel="noreferrer noopener nofollow">[email protected]</a>.
• UID: a string which identifies the end user and attempts to be more consistent and unique than username.
• Groups: a set of strings, each of which indicates the user's membership in a named logical collection of users. Common values might be system:masters or devops-team.
• Extra fields: a map of strings to list of strings which holds additional information authorizers may find useful.

All values are opaque to the authentication system and only hold significance when interpreted by an authorizer.

You can enable multiple authentication methods at once. You should usually use at least two methods:

• service account tokens for service accounts
• at least one other method for user authentication.

When multiple authenticator modules are enabled, the first module to successfully authenticate the request short-circuits evaluation. The API server does not guarantee the order authenticators run in.

The system:authenticated group is included in the list of groups for all authenticated users.

Integrations with other authentication protocols (LDAP, SAML, Kerberos, alternate x509 schemes, etc) can be accomplished using an authenticating proxy or the authentication webhook.

正如您所看到的，将 SAML 添加到您的配置中，您可以使用 authenticating proxy或authentication webhook .

如果您搜索如何在 Kubernetes 中设置 SAML 的示例，您可以阅读 this article .

但是，在绝大多数情况下，SAML 将扩展(而不是取代)RBAC 功能。另请参阅文章How SAML 2.0 Authentication Works?