Configure security and access control in Application Live View

This topic tells you how to enable improved security and access control in Application Live View in Tanzu Application Platform (commonly known as TAP). Improved security and access control in Application Live View secures the REST API exposed by the Application Live View back end.

For more information about Application Live View packages, see Install Application Live View.

Security and access control overview

There is one instance of Application Live View back end installed per View profile. Multiple users access this back-end API to fetch actuator data for different applications. All the REST API calls to the back end are secured. A token must be passed to the Application Live View back end on each call to the REST API to fetch actuator data. This token is obtained from Application Live View APIServer.

The Application Live View APIServer generates a unique token upon access validation of a user to a pod. The Application Live View back end passes this token to the Application Live View connector when requesting the actuator data. The Application Live View connector verifies this token by calling the Application Live View APIServer and proxies the actuator data only if the token is valid.

The Application Live View UI plug-in part of Tanzu Developer Portal uses the preceding approach to securely query for the actuator data for a pod. It requests a token from Application Live View APIServer and passes it in the subsequent calls to the back end. This ensures that actuator data from the running application is fetched only if the user is authorized to see the live information for the pod.

Diagram of the security and access control process described in this section.

The Application Live View UI plug-in relies on Tanzu Developer Portal authentication and authorization to access the Application Live View APIServer and fetch the Application Live View tokens.

The Tanzu Developer Portal controls the access to Kubernetes resources based on user roles and permissions for each of the remote clusters. For more information, see View runtime resources on authorization-enabled clusters.

For more information about how to set up unrestricted remote cluster visibility, see Viewing resources on multiple clusters in Tanzu Developer Portal.

Prerequisites

  1. You install the Application Live View APIServer package (apiserver.appliveview.tanzu.vmware.com) in Tanzu Application Platform. For more information, see Install Application Live View APIServer.

  2. Assign users necessary roles and permissions for the Kubernetes clusters. For more information about managing role-based access control, see Assign roles and permissions on Kubernetes clusters

For example: If you are using Service Account to view resources on a cluster in Tanzu Developer Portal, verify that the ClusterRole has rules to access and request tokens from the Application Live View APIServer.

- apiGroups: ['appliveview.apps.tanzu.vmware.com']
  resources:
  - resourceinspectiongrants
  verbs: ['get', 'watch', 'list', 'create']

For more information, see Set up a Service Account to view resources on a cluster.

Note

With the Service Account approach to view resources on a cluster, every user with the Service Account Token with access to view the pods is able to see the live information in Application Live View.

Configure improved security

The improved security feature is enabled by default for Application Live View.

In a Tanzu Application Platform profile install, the Application Live View connector (connector.appliveview.tanzu.vmware.com) and the Tanzu Application Platform GUI (tap-gui.tanzu.vmware.com) are automatically configured to enable the secure communication between Application Live View components.

You can control this feature by setting the top-level key shared.activateAppLiveViewSecureAccessControl in the tap-values.yaml.

For example:

shared:
    activateAppLiveViewSecureAccessControl: true

To override the security feature at the individual component level, take the following steps.

Application Live View connector

  1. (Optional) Change the default installation settings for Application Live View connector by running:

    tanzu package available get connector.appliveview.tanzu.vmware.com/VERSION-NUMBER --values-schema --namespace tap-install
    

    Where VERSION-NUMBER is the version of the package listed. For example, 1.5.0-build.5.

    For example:

    $ tanzu package available get connector.appliveview.tanzu.vmware.com/1.5.0-build.5 --values-schema --namespace tap-install
      KEY                                   DEFAULT             TYPE        DESCRIPTION
      kubernetes_version                                        string      Optional: The Kubernetes Version. Valid values are '1.24.*', or ''.
    
      backend.sslDeactivated                false               boolean     Flag for whether to disable SSL.
      backend.caCertData                    cert-in-pem-format  string      CA Cert Data for ingress domain.
      backend.host                          <nil>               string      Domain used to reach the Application Live View back end. Prepend
                                                                            "appliveview" subdomain to the value if you use shared ingress. For
                                                                            example: "example.com" becomes "appliveview.example.com".
      backend.ingressEnabled                false               boolean     Flag for the connector to connect to ingress on back end.
    
      backend.port                          <nil>               number      Port to reach the Application Live View back end.
      connector.namespace_scoped.enabled    false               boolean     Flag for the connector to run in namespace scope.
      connector.namespace_scoped.namespace  default             string      Namespace to deploy connector.
      kubernetes_distribution                                   string      Kubernetes distribution that this package is being installed on. Accepted
                                                                            values: ['''',''openshift''].
      activateAppLiveViewSecureAccessControl                    boolean     Optional: Configuration required to enable Secure Access Connection between App Live View components.
      activateSensitiveOperations                               boolean     Optional: Configuration to allow connector to execute sensitive operations on a running application.
    

    For more information about values schema options, see the properties listed earlier.

  2. Create app-live-view-connector-values.yaml with the following details:

    To override the default security settings for connector, use the following values:

    activateAppLiveViewSecureAccessControl: false
    

    By default, activateAppLiveViewSecureAccessControl is set to true.

    The activateSensitiveOperations key activates/deactivates the execution of sensitive operations, such as editing environment variables, downloading heap dump data, and changing log levels for the applications in the cluster. It is set to false by default.

    To enable the sensitive operations, set activateSensitiveOperations to true.

    activateSensitiveOperations: true
    

    To control permissions to execute sensitive operations at a user level, see Authorize a user to execute sensitive operations.

  3. Install the Application Live View connector package by running:

    tanzu package install appliveview-connector \
      --package connector.appliveview.tanzu.vmware.com \
      --version VERSION-NUMBER \
      --namespace tap-install \
      --values-file app-live-view-connector-values.yaml
    

    Where VERSION-NUMBER is the version of the package listed. For example, 1.5.0-build.5.

    For example:

    $ tanzu package install appliveview-connector \
        --package connector.appliveview.tanzu.vmware.com \
        --version 1.5.0-build.5 \
        --namespace tap-install \
        --values-file app-live-view-connector-values.yaml
    | Installing package 'connector.appliveview.tanzu.vmware.com'
    | Getting namespace 'tap-install'
    | Getting package metadata for 'connector.appliveview.tanzu.vmware.com'
    | Creating service account 'appliveview-connector-tap-install-sa'
    | Creating cluster admin role 'appliveview-connector-tap-install-cluster-role'
    | Creating cluster role binding 'appliveview-connector-tap-install-cluster-rolebinding'
    - Creating package resource
    / Package install status: Reconciling
    
    Added installed package 'appliveview-connector' in namespace 'tap-install'
    
  4. Verify the Application Live View connector package installation by running:

    tanzu package installed get appliveview-connector -n tap-install
    

    For example:

    tanzu package installed get appliveview-connector -n tap-install                                                                              5s
    | Retrieving installation details for appliveview-connector...
    NAME:                    appliveview-connector
    PACKAGE-NAME:            connector.appliveview.tanzu.vmware.com
    PACKAGE-VERSION:         1.5.0-build.5
    STATUS:                  Reconcile succeeded
    CONDITIONS:              [{ReconcileSucceeded True  }]
    USEFUL-ERROR-MESSAGE:
    

    Verify that STATUS is Reconcile succeeded.

Application Live View UI plug-in

The Application Live View UI plug-in is part of Tanzu Developer Portal. To override the default security settings for the Application Live View UI plug-in, take the following steps.

  1. (Optional) Make changes to the default installation settings by running:

    tanzu package available get tap-gui.tanzu.vmware.com/VERSION-NUMBER --values-schema --namespace tap-install
    

    Where VERSION-NUMBER is the number you discovered previously. For example, 1.4.6.

    For more information about values schema options, see the individual product documentation.

  2. Create tap-gui-values.yaml and paste in the following code:

    ingressEnabled: true
    ingressDomain: "INGRESS-DOMAIN"
    app_config:
      catalog:
        locations:
          - type: url
            target: https://GIT-CATALOG-URL/catalog-info.yaml
      appLiveView:
        activateAppLiveViewSecureAccessControl: false
    

    Where:

    • INGRESS-DOMAIN is the subdomain for the host name that you point at the tanzu-shared-ingress service’s External IP address.
    • GIT-CATALOG-URL is the path to the catalog-info.yaml catalog definition file from either the included Blank catalog (provided as an additional download named “Blank Tanzu Developer Portal Catalog”) or a Backstage-compliant catalog that you’ve already built and posted on the Git infrastructure specified in Add Tanzu Developer Portal integrations.
  3. Install the package by running:

    tanzu package install tap-gui \
      --package tap-gui.tanzu.vmware.com \
      --version VERSION \
      --namespace tap-install \
      --values-file tap-gui-values.yaml
    

    Where VERSION is the version that you want. For example, 1.4.6.

    For example:

    $ tanzu package install tap-gui \
        --package tap-gui.tanzu.vmware.com \
        --version 1.4.6 \
        --namespace tap-install \
        --values-file tap-gui-values.yaml
    - Installing package 'tap-gui.tanzu.vmware.com'
    | Getting package metadata for 'tap-gui.tanzu.vmware.com'
    | Creating service account 'tap-gui-default-sa'
    | Creating cluster admin role 'tap-gui-default-cluster-role'
    | Creating cluster role binding 'tap-gui-default-cluster-rolebinding'
    | Creating secret 'tap-gui-default-values'
    - Creating package resource
    - Package install status: Reconciling
    
     Added installed package 'tap-gui' in namespace 'tap-install'
    
  4. Verify that the package installed by running:

    tanzu package installed get tap-gui -n tap-install
    

    For example:

    $ tanzu package installed get tap-gui -n tap-install
    | Retrieving installation details for cc...
    NAME:                    tap-gui
    PACKAGE-NAME:            tap-gui.tanzu.vmware.com
    PACKAGE-VERSION:         1.4.6
    STATUS:                  Reconcile succeeded
    CONDITIONS:              [{ReconcileSucceeded True  }]
    USEFUL-ERROR-MESSAGE:
    

    Verify that STATUS is Reconcile succeeded.

  5. To access Tanzu Developer Portal, use the service you exposed in the service_type field in the values file.

Authorize a user to execute sensitive operations

You can limit the access to execute sensitive operations to specific users. This secures operations such as editing environment variables, downloading heap dump data, and changing log levels for applications.

To authorize a user to execute these sensitive operations:

  1. Create a ClusterRole with a rule that specifies the execute verb for the SensitiveOperationsAccess resource and a corresponding RoleBinding to bind it to a user:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: alv-execute-sensitive-op-role
    rules:
    - apiGroups: ['appliveview.apps.tanzu.vmware.com']
      resources:
      - sensitiveoperationsaccesses
      verbs: ['execute']
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: alice-alv-execute-sensitive-op-role-binding
      namespace: dev-team-1
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: alv-execute-sensitive-op-role
    subjects:
    - kind: User
      name: "[email protected]"
      apiGroup: rbac.authorization.k8s.io
    
  2. If you are using service account to view resources on a cluster in Tanzu Developer Portal, create a ClusterRole with a rule that specifies the execute verb for the SensitiveOperationsAccess resource and a corresponding RoleBinding to bind it to the tap-gui service account:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: alv-execute-sensitive-op-role
    rules:
    - apiGroups: ['appliveview.apps.tanzu.vmware.com']
      resources:
      - sensitiveoperationsaccesses
      verbs: ['execute']
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: alv-execute-sensitive-op-role-binding
      namespace: dev-team-1
    subjects:
    - kind: ServiceAccount
      namespace: tap-gui
      name: tap-gui-viewer
    roleRef:
      kind: ClusterRole
      name: alv-execute-sensitive-op-role
      apiGroup: rbac.authorization.k8s.io
    
  3. (Optional) Edit the tap-gui cluster role k8s-reader to add a rule that specifies the execute verb for the SensitiveOperationsAccess resource in a single cluster setup:

    kubectl edit clusterrole k8s-reader -n tap-gui
    
  4. Add the following rule to the cluster role:

    - apiGroups: ['appliveview.apps.tanzu.vmware.com']
      resources:
      - sensitiveoperationsaccesses
      verbs: ['execute']
    
    Note

    Executing sensitive operations is deactivated by default. You can enable it at the cluster level by setting the activateSensitiveOperations: true key in the appliveview_connector config or at the individual user level by assigning the roles and permissions mentioned earlier.

check-circle-line exclamation-circle-line close-line
Scroll to top icon