Authenticate users to access Kaptain with an identity provider

Prerequisites

In Kaptain, authenticating users and user groups is carried out by DKP’s Dex instance. To use an alternative external identity provider as an authenticator, you can set up DKP’s Dex to use the identity provider of your choice.

Setup

When you install Kaptain in your management cluster, the identity provider of your choice is already integrated with your DKP Dex instance, so no further steps are required for you to be able to enable access to your Kaptain instance with the credentials defined with your identity provider.

When Kaptain is installed in a managed cluster, ensure the managed cluster can communicate with the Dex instance in the management cluster. For this, configure Kaptain to authenticate with a DKP management cluster via Dex.

You can use an identity provider in air-gapped environments as long as the Identity Provider server you are using is accessible from the cluster. In this case, ensure the Dex connector properly links to the server.

Access Kaptain with your Identity provider credentials

By default, your identity provider users and user groups have access to the dashboard. To add or remove groups, alter the Allow List via the Configuration service.

  1. Open the log-in page to access Kubeflow’s dashboard of Kaptain.

  2. Select Log in with your identity provider.

  3. Use your credentials to access Kubeflow’s dashboard for Kaptain.

Limit access to pre-defined groups

Once you have restricted access to users by populating the AllowList as shown in the following workflow, the admin user will not have access to the Kaptain instance. If the admin user requires access to Kaptain, they can always access the DKP UI and revert the configuration changes in the ingress section of Kaptain to enable access to all users.

  1. Access the DKP UI.

  2. Enterprise only: Select your target workspace from the top menu bar.

  3. Select Applications from the sidebar menu.

  4. Search the Kaptain application card, either by filtering the name or scrolling down to find it.

  5. Select the three dot menu > Edit in the Kaptain application card.

  6. In the Configure Service field, enter the following variables to update the ingress values. Provide or delete the names of the groups you want to add or remove:

    ingress: 
      oidcGroupsAllowList: <group1>,<group2>
    YAML

    If you need the Authentication Service to accept ServiceAccountTokens, include the system:serviceaccounts group.

    ingress: 
      oidcGroupsAllowList: <group1>,<group2>,system:serviceaccounts
    YAML
  7. Select Save.

Wait a couple of minutes until the variables have been propagated before you attempt to log in again. Please note that after defining the allowed user groups, the default Kommander users will no longer be able to access Kaptain with their previous credentials, since those are not included in any of the identity provider groups by default.