SSO New Generation with Pomerium
Context
When your application does not support Authentication mechanism, a good practice is to expose it using a SSO layer.
In the past, k8saas provided a Built-in SSO to allow all Thales employees but the configuration was difficult to put in place:
- 1 oauth proxy per URL
- manual ticket to send to support to get credentials
- redirect URL configuration is confused
K8SAAS has decided to propose a new generation of SSO that does not need a manual ticket and the deployment of an oauth proxy per URL.
This solution is based on Pomerium
Not supported for corporate-addon
Pomerium is not currently supported for corporate-addon clusters.
Use cases
- After GoToDemo Gate, expose an application to user outside the development team without using a VPN
- Protect few ingresses or URLs using a single mechanism
- Authenticate users when accessing to static or simple application
What to do ?
Enable the feature
This feature is not yet deployed by default (because it's still an exploration at this stage).
To use this feature, you first need to send a request on the TrustNest K8SaaS Service catalog with the following info:
- the name of your instance
- ask for escalating the ticket to tdp-k8saas
- ask to enable the SSO new generation
Use the feature
To use this SSO new generation, you just have to:
- add the following ingress class name
ingressClassName: pomerium
- Precise the policy following the example:
Allow all thalesdigital.io:
ingress.pomerium.io/policy: |
- allow:
or:
- domain:
is: thalesdigital.io
Allow specific users:
ingress.pomerium.io/policy: |
- allow:
or:
- email:
is: toto.titi@thalesdigital.io
Allow specific Azure AD groups:
- retreive azure ad group objectId
az ad group show -g <my_group_name> --query "id" -otsv
- use
idin group policy:
ingress.pomerium.io/allowed_groups: |
- <id>
Manage User access with Azure Enterprise Application (special case)
Azure Active Directory provides a way to manage User Access using both oauth 2.0 and the Entreprise Application. The purpose of this section is to explain how to set up your SSL to do so.
Assignment required in AAD: First, you need to enforce the "Assignment required" configuration.
Go to your enterprise application using azure portal, and make sure your configuration follows:
Users and Groups in AAD: This configuration will reject the users that are not listed in the "Users and Groups" section
Then go to "Users and Groups" section and add the users and groups that you want to allow
Pomerium policy:
Simply add the following annotation to allow all logged users:
ingress.pomerium.io/policy: |
- allow:
or:
- authenticated_user: true
Now, all users listed in the entreprise application can access to your k8saas application behind the SSO v2 !
Test with an example ingress:
Here is a test using an example ingress that exposes an Hello World application using Pomerium.
To follow this tutorial, please use the pomerium-helloworld folder from our Hello world repository.
First of all, deploy the hello-world application and associated service:
$ kubectl apply -f aks-helloworld-pomerium.yaml
Then, Let's take a look at the file pomerium-ingress.yaml :
apiVersion: networking.k8s.io/v1 #extensions/v1beta1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
ingress.pomerium.io/policy: |
- allow:
or:
- domain:
is: thalesdigital.io
name: httpserver-ingress
spec:
ingressClassName: pomerium
rules:
- host: hello-world-ingress.demo-pomerium.kaas.thalesdigital.io
http:
paths:
- backend:
service:
name: aks-helloworld-one
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- hello-world-ingress.demo-pomerium.kaas.thalesdigital.io
secretName: http-pomerium-test
It will deploy an ingress that will expose the hello world application using pomerium.
The important fields are:
- spec.ingressClassName: the ingresssClass to use, for us it's pomerium
- metadata.annotations.ingress.pomerium.io/policy: the pomerium policy for that ingress.
First we need to rename the ingress host and secret to your cluster name.
Be sure to replace <YOUR_CLUSTER_NAME> by your cluster name when using the following commands:
$ sed -i'.bak' "s/hello-world-ingress.demo-pomerium.kaas.thalesdigital.io/hello-world-ingress.<YOUR_CLUSTER_NAME>.-pomerium.kaas.thalesdigital.io/g" pomerium-ingress.yaml
Deploy the ingress to your cluster:
$ kubectl apply -f ./pomerium-ingress.yaml
You can use the following command to watch the deployed ingress until a public IP is assigned to it:
$ k get ing -w
NAME CLASS HOSTS ADDRESS PORTS AGE
httpserver-ingress pomerium <YOUR_CLUSTER_NAME>.kaas.thalesdigital.io 20.11.111.111 80, 443 2m
After a few minutes, open the url https://<YOUR_CLUSTER_NAME>.kaas.thalesdigital.io and you can access the hello world page once signed in.
Delete the deploy resources:
$ kubectl delete -f aks-helloworld-pomerium.yaml
$ kubectl delete -f ./pomerium-ingress.yaml
Next step
- Follow the Pomerium Hello World
- Look how k8saas help you to implement the Basic Security Stories
- Look at the k8saas policies