Denise
b0a52bb544
* Cluster Templates docs * Say to pass private registry as env variable in air gap install * Add chart compatibility info to Catalog docs * Edit node pool docs Add 'the' Move 'how it works' info to bottom of node pools doc Move 'how it works' info to bottom of node pools doc Add steps for disabling node auto-replace Hide 'How does node auto-replace work' in dropdown Add hyphen Only include Rancher UI steps for enable/disable node auto-replace Only include Rancher UI steps for enable/disable node auto-replace Change wording around node auto-replace * Add note about session length setting * Update _index.md * quiet option added so output doesn't contain non-image output from RKE in the rancher-images.txt file. * updating to list-version * Windows docs usability (#1712) * Update supported Windows server version * Edit docs on Windows clusters * Edit docs on Windows clusters * Edit Windows node docs * Minor edits to Windows docs * Edit node pool docs Add 'the' Move 'how it works' info to bottom of node pools doc Move 'how it works' info to bottom of node pools doc Add steps for disabling node auto-replace Hide 'How does node auto-replace work' in dropdown Add hyphen Only include Rancher UI steps for enable/disable node auto-replace Only include Rancher UI steps for enable/disable node auto-replace Change wording around node auto-replace * Update _index.md * Edit Windows cluster docs * Edit Windows cluster docs for usability * Update supported Windows server version * Edit docs on Windows clusters * Edit Windows node docs * Minor edits to Windows docs * Edit Windows cluster docs * Edit Windows cluster docs for usability * Minor edits to Windows docs * Clarify that custom clusters are provisioned with RKE (#1734) * Clarify that custom clusters are RKE provisioned * Clarify that custom clusters are RKE provisioned * Minor edits to Windows/custom cluster docs * Edit cluster template docs (#1660) * Cluster Templates docs * Mention template clusters in cluster provisioning section * Edit cluster template docs * Clarify Owner access type for cluster templates * Mention template clusters in cluster provisioning section * Edit cluster template docs * Clarify Owner access type for cluster templates * Revise cluster template docs * Revise cluster template docs * Mention template clusters in cluster provisioning section * Edit cluster template docs * Clarify Owner access type for cluster templates * Revise cluster template docs * Revise cluster template docs * Cluster Templates docs * Mention template clusters in cluster provisioning section * Mention template clusters in cluster provisioning section * Edit cluster template docs * Edit cluster template docs * Add note about session length setting * Revise cluster template docs * quiet option added so output doesn't contain non-image output from RKE in the rancher-images.txt file. * updating to list-version * Windows docs usability (#1712) * Update supported Windows server version * Edit docs on Windows clusters * Edit docs on Windows clusters * Edit Windows node docs * Minor edits to Windows docs * Edit node pool docs Add 'the' Move 'how it works' info to bottom of node pools doc Move 'how it works' info to bottom of node pools doc Add steps for disabling node auto-replace Hide 'How does node auto-replace work' in dropdown Add hyphen Only include Rancher UI steps for enable/disable node auto-replace Only include Rancher UI steps for enable/disable node auto-replace Change wording around node auto-replace * Update _index.md * Edit Windows cluster docs * Edit Windows cluster docs for usability * Update supported Windows server version * Edit docs on Windows clusters * Edit Windows node docs * Minor edits to Windows docs * Edit Windows cluster docs * Edit Windows cluster docs for usability * Minor edits to Windows docs * Update template docs per UI and permissions changes * Revise template docs * Address feedback on RKE template docs * Fix name of directive in RKE template YAML * Change env variable to match code from github issue resolution * Add information for cert-manager Problem: cert-manager is old and will be cut off soon Solution: Update docs to include current install instructions and instructions on how to upgrade cert-manager to the current version * Revamp cert-manager docs - Condense air gap and normal upgrade instructions for cert-manager down to a single page. This allowed us to consolidate some repetetive text. - Add a section explaining cert-manager's API change and the recommended data migration - Moved the upgrade instructions out of the cluster administration section and into the Advanced installation options (not perfect but our best fit) - On the pages where we instruct the user to install cert-manger, made a note and link to our upgrade documentation * Respond to feedback on RKE template docs (#1757) * Respond to feedback on RKE template docs * Respond to feedback on RKE template docs * Minor edits to RKE template docs * Change env variable to match code from github issue resolution * Add information for cert-manager Problem: cert-manager is old and will be cut off soon Solution: Update docs to include current install instructions and instructions on how to upgrade cert-manager to the current version * Add information for cert-manager Problem: cert-manager is old and will be cut off soon Solution: Update docs to include current install instructions and instructions on how to upgrade cert-manager to the current version * Revamp cert-manager docs - Condense air gap and normal upgrade instructions for cert-manager down to a single page. This allowed us to consolidate some repetetive text. - Add a section explaining cert-manager's API change and the recommended data migration - Moved the upgrade instructions out of the cluster administration section and into the Advanced installation options (not perfect but our best fit) - On the pages where we instruct the user to install cert-manger, made a note and link to our upgrade documentation * Revamp cert-manager docs - Condense air gap and normal upgrade instructions for cert-manager down to a single page. This allowed us to consolidate some repetetive text. - Add a section explaining cert-manager's API change and the recommended data migration - Moved the upgrade instructions out of the cluster administration section and into the Advanced installation options (not perfect but our best fit) - On the pages where we instruct the user to install cert-manger, made a note and link to our upgrade documentation * Windows docs usability (#1712) * Update supported Windows server version * Edit docs on Windows clusters * Edit docs on Windows clusters * Edit Windows node docs * Minor edits to Windows docs * Edit node pool docs Add 'the' Move 'how it works' info to bottom of node pools doc Move 'how it works' info to bottom of node pools doc Add steps for disabling node auto-replace Hide 'How does node auto-replace work' in dropdown Add hyphen Only include Rancher UI steps for enable/disable node auto-replace Only include Rancher UI steps for enable/disable node auto-replace Change wording around node auto-replace * Update _index.md * Edit Windows cluster docs * Edit Windows cluster docs for usability * Update supported Windows server version * Edit docs on Windows clusters * Edit Windows node docs * Minor edits to Windows docs * Edit Windows cluster docs * Edit Windows cluster docs for usability * Minor edits to Windows docs * Edit air gap docs (#1759) * Edit air gap docs * Edit air gap installation steps * add notes about taints on linux worker nodes * adding node taints docs * add s3 backup option for self signed certs * add advanced options systemDefaultRegistry and useBundledSystemChart in helm options * Add Kubernetes Metadata Feature * Add google oauth docs * Air gap install updates (#1791) * fix single node air gap command * New air gap layout - overview * New air gap layout - prepare nodes * New air gap layout - prepare private registry and add windows instructions * New air gap layout - install k8s * New air gap layout - install rancher * small edits * Small air gap edits * small revision to airgap docs * Edit RKE metadata doc (#1790) * Edit RKE metadata config docs * Minor edits to RKE metadata doc * Minor edits to RKE metadata doc * Minor edits to K8s metadata doc * Update note in K8s metadata doc * Addressing PR review comments * Google OAuth (#1797) * Copy edit Google Oauth docs * Copy edit Google Oauth docs * Minor edits to Google Oauth doc * Add info on add ons and agents * Fix up air gap upgrades based on air gap install edits * Update example CIDRs for bip ranges * Missing a L3 Header for General Linux The current TOC structure is missing a General category which makes it read like CentOS/RHEL is the recommended distro.. Adding a General Linux Recommendations better highlights that the RHEL stuff is additional information for those distros. * EIO-194: documentation updates for CIS benchmark 1.4.1 * Fix incorrect rendering of bash script The bash script doesn't display correctly and when copied as is doesn't work due to a leading 'bash' in the command. * Add info on intermediates recognized CA cert * Small air gap upgrade updates for consistency * Remove unnecessary step * Add taints to nodes * Update RKE CLI docs with folder info * Added folder option for s3 backups * Edit Istio cluster administration docs * Edit Istio docs * Edit Istio docs * Document safe timestamps * Edit Istio docs * Edit Istio docs * Update _index.md * Add feature flag doc * Edit feature flag doc * Change unsupported to experimental * Change wording * Edit Istio docs * Rancher min/max version * Edit Istio rbac info * Add c * Edit Istio rbac section
6.7 KiB
title, weight, aliases
| title | weight | aliases | ||
|---|---|---|---|---|
| Authentication | 1115 |
|
One of the key features that Rancher adds to Kubernetes is centralized user authentication. This feature allows your users to use one set of credentials to authenticate with any of your Kubernetes clusters.
This centralized user authentication is accomplished using the Rancher authentication proxy, which is installed along with the rest of Rancher. This proxy authenticates your users and forwards their requests to your Kubernetes clusters using a service account.
External vs. Local Authentication
The Rancher authentication proxy integrates with the following external authentication services. The following table lists the first version of Rancher each service debuted.
| Auth Service | Available as of |
|---|---|
| Microsoft Active Directory | v2.0.0 |
| GitHub | v2.0.0 |
| Microsoft Azure AD | v2.0.3 |
| FreeIPA | v2.0.5 |
| OpenLDAP | v2.0.5 |
| Microsoft AD FS | v2.0.7 |
| PingIdentity | v2.0.7 |
| Keycloak | v2.1.0 |
| Okta | v2.2.0 |
| Google OAuth | v2.3.0 |
| However, Rancher also provides local authentication. |
In most cases, you should use an external authentication service over local authentication, as external authentication allows user management from a central location. However, you may want a few local authentication users for managing Rancher under rare circumstances, such as if your external authentication provider is unavailable or undergoing maintenance.
Users and Groups
Rancher relies on users and groups to determine who is allowed to log in to Rancher and which resources they can access. When authenticating with an external provider, groups are provided from the external provider based on the user. These users and groups are given specific roles to resources like clusters, projects, multi-cluster apps, and global DNS providers and entries. When you give access to a group, all users who are a member of that group in the authentication provider will be able to access the resource with the permissions that you've specified. For more information on roles and permissions, see Role Based Access Control.
Note: Local authentication does not support creating or managing groups.
For more information, see Users and Groups
Scope of Rancher Authorization
After you configure Rancher to allow sign on using an external authentication service, you should configure who should be allowed to log in and use Rancher. The following options are available:
| Access Level | Description |
|---|---|
| Allow any valid Users | Any user in the authorization service can access Rancher. We generally discourage use of this setting! |
| Allow members of Clusters, Projects, plus Authorized Users and Organizations | Any user in the authorization service and any group added as a Cluster Member or Project Member can log in to Rancher. Additionally, any user in the authentication service or group you add to the Authorized Users and Organizations list may log in to Rancher. |
| Restrict access to only Authorized Users and Organizations | Only users in the authentication service or groups added to the Authorized Users and Organizations can log in to Rancher. |
To set the Rancher access level for users in the authorization service, follow these steps:
-
From the Global view, click Security > Authentication.
-
Use the Site Access options to configure the scope of user authorization. The table above explains the access level for each option.
-
Optional: If you choose an option other than Allow any valid Users, you can add users to the list of authorized users and organizations by searching for them in the text field that appears.
-
Click Save.
Result: The Rancher access configuration settings are applied.
{{< saml_caveats >}}
External Authentication Configuration and Principal Users
Configuration of external authentication requires:
- A local user assigned the administrator role, called hereafter the local principal.
- An external user that can authenticate with your external authentication service, called hereafter the external principal.
Configuration of external authentication affects how principal users are managed within Rancher. Follow the list below to better understand these effects.
-
Sign into Rancher as the local principal and complete configuration of external authentication.
-
Rancher associates the external principal with the local principal. These two users share the local principal's user ID.
-
After you complete configuration, Rancher automatically signs out the local principal.
-
Then, Rancher automatically signs you back in as the external principal.
-
Because the external principal and the local principal share an ID, no unique object for the external principal displays on the Users page.
-
The external principal and the local principal share the same access rights.
