check-circle-line exclamation-circle-line close-line

<

You can deploy Tanzu Kubernetes clusters that implement authentication and authorization, so that only users with the correct permissions can access those clusters. This release of Tanzu Kubernetes Grid provides user authentication of clusters by implementing the open source Dex and Gangway projects.

Tanzu Kubernetes Grid includes signed binaries for Dex, so that you can enable authentication services in your clusters. Dex is an OpenID Connect (OIDC) provider, that enables authentication for Kubernetes clusters by connecting to an external identity provider (IDP), such as an LDAP server or to OIDC providers like Okta. Tanzu Kubernetes Grid uses NodePort to expose the Dex service when running on vSphere and the LoadBalancer service type to expose the Dex service on Amazon EC2.

IMPORTANT:

  • In this release of Tanzu Kubernetes Grid, the provided authentication implementation assumes that you use self-signed certificates. If you have Tanzu Kubernetes Grid Plus support, you can engage with Tanzu Kubernetes Grid Plus Customer Reliability Engineers, who can help you to implement authentication with your own certificates.
  • Tanzu Kubernetes Grid does not support IPv6 addresses. This is because upstream Kubernetes only provides alpha support for IPv6. Always provide IPv4 addresses in the procedures in this section.

The process to set up authentication with Dex and Gangway involves several stages:

  1. Deploy Dex on your management cluster.

    If your management cluster runs on vSphere, Tanzu Kubernetes Grid supports using Dex with either LDAP or OIDC. If your management cluster runs on Amazon EC2, only OIDC is supported. The identity provider that you configure Dex to use is used by all of the clusters in your Tanzu Kubernetes Grid instance.

    Perform one of the following the procedures to deploy Dex:

  2. Deploy an OIDC-enabled Tanzu Kubernetes cluster.

    To use the Dex service you must deploy Tanzu Kubernetes clusters with an embedded OIDC endpoint. The OIDC endpoint allows the cluster to connect to your LDAP or OIDC server. The procedure to Deploy an Authentication-Enabled Cluster is the same for both vSphere and Amazon EC2 deployments.

  3. Enable Gangway on the OIDC-enabled cluster.

    Gangway is a Kubernetes authentication client that you install on each workload cluster for which you want to implement authentication. Gangway generates a kubeconfig that allows clusters to use Dex to connect to your identity provider.

    Perform one of the following the procedures to enable Gangway:

  4. Access the cluster with your IDP credentials.

    Gangway exposes a Web-based endpoint on workload clusters, to which end users can connect with their IDP credentials, in order to access the application that runs in the cluster.

If you have Tanzu Kubernetes Grid Plus support, you can engage with Tanzu Kubernetes Grid Plus Customer Reliability Engineers, who can help you to implement other authentication providers with Tanzu Kubernetes Grid.