You can deploy Tanzu Kubernetes clusters that implement authentication and authorization, so that only users with the correct permissions can access those clusters. If you implement authentication on Tanzu Kubernetes clusters, users with the correct permissions can use their identity provider (IDP) credentials to log in to a Web interface where they can download the
kubeconfig for a given cluster. Tanzu Kubernetes Grid provides user authentication of clusters by implementing the open source Dex and Gangway projects.
IMPORTANT: Tanzu Kubernetes Grid v1.3 introduces user authentication with Pinniped and Dex, that run automatically in management clusters if you enable identity management during deployment. Due to this change in authentication mechanism in v1.3, if you have not already manually deployed the Dex and Gangway extensions in v1.2.x, it is strongly recommended not to do so. To implement cluster authentication, it is strongly recommended to upgrade to Tanzu Kubernetes Grid v1.3 and to use the built-in Pinniped and Dex identity management service that the newer version provides.
The process to set up authentication with Dex and Gangway involves several stages:
The IDP that you can use depends on the infrastructure on which your management cluster runs.
|vSphere||LDAP or OIDC|
The IDP that you configure Dex to use is used by all of the clusters in your Tanzu Kubernetes Grid instance.
To use the Dex service you must deploy Tanzu Kubernetes clusters with an embedded OIDC endpoint. The OIDC endpoint allows the cluster to connect to your LDAP or OIDC server.
Gangway is a Kubernetes authentication client that you install on each Tanzu Kubernetes cluster for which you want to implement authentication. Gangway generates a
kubeconfig that allows clusters to use Dex to connect to your identity provider.
IMPORTANT: Tanzu Kubernetes Grid provides Gangway exclusively for use in combination with Dex and in the manner that is documented here. Any other use of the provided Gangway implementation is not supported.
Gangway exposes a Web-based endpoint on Tanzu Kubernetes clusters, to which end users can connect with their IDP credentials, in order to access the
kubeconfig for the cluster.