Cloud Native

Kubernetes Impersonation, DUO, Okta, and AzureAD in OpenUnison 1.0.18

April 21, 2020

by

Marc Boorshtein

TL;DR

  • Kubernetes impersonation support - access managed Kubernetes with enterprise credentials and no plugins!
  • Kubernetes impersonation support - Use the dashboard securely on managed clusters
  • Prometheus metrics support - Prometheus metrics authenticated using Kubernetes service accounts
  • Okta - Provision users and groups via the Okta API from OpenUnison workflows
  • AzureAD - Provision users, guests and groups via the Microsoft Graph API from OpenUnison workflows
  • DUO Login - Now supported by OpenUnison
  • Zero Known Vulnerabilities - Snyk.io integration to track dependencies

OpenUnison 1.0.18

Today we’re proud to announce the availability of OpenUnison 1.0.18.  This release is one of our largest feature releases yet and the best part is many of the new features are already in production with existing customers and users!  Most of the features in this release were driven by customer demand.  Let's go through them!

Kubernetes


Kubernetes Logo transparent PNG - StickPNG

We already have one of the most comprehensive solutions for integrating authentication and authorization into your clusters via OpenID Connect, but what about your managed clusters like EKS, AKS and GKE?  These technologies won’t let you update their configuration for OpenID Connect integration.  With OpenUnison 1.0.18, and all of the Orchestra login portal implementations on GitHub, you can now integrate your enterprise’s authentication and authorization into these clusters too using impersonation!  Simply deploy one of the Orchestra portals into your cluster and integrate with your identity provider of choice (LDAP/Active Directory, SAML2, OpenID Connect, GitHub) and you’ll be able to access kubectl and the dashboard with the same credentials as you do your on-premises clusters!  No more mapping user credentials to cloud systems and no need for kubectl plugins!


To get this working, we also contributed to the 2.0 Kubernetes dashboard to support impersonation as well as the Java client SDK to support OpenID Connect.  We’re proud that not only are our own products open source, but that we donate to the larger community as well!


Prometheus software logo.svg

Once you’ve deployed OpenUnison, you want to make sure it stays available and that you have a handle on how much it’s being used.  Since it’s part of your security program, you don’t want to expose metrics data anonymously.  To that end, we added a Prometheus endpoint to OpenUnison and protect it requiring an authorized Kubernetes service account verified using the TokenReview api.  This way you can get detailed usage data from OpenUnison securely.

Finally, we updated our deployment mechanism for Kubernetes moving to Helm 3.0 charts.  We have resisted using Helm in the past due to its dependency on Tiller.  With that dependency gone, we felt the time was right to create charts for easier management and better integration with existing cluster management tools.  If you don’t use Helm for package management, that’s OK too!  Our charts can be used to generate static manifests.  Once deployed, our operator will look for changes in openunison’s configuration and update accordingly.

Cloud

In this release we’re adding support for provisioning to both AzureAD and Okta.  For Okta, we’re able to provision users and groups via their API just as if using a database or active directory.  We track what attributes are created/changed/deleted and can assign group membership based on business approvals.  We can do the same for AzureAD, with the addition of being able to invite new guests directly from a workflow adding a further layer of automation.  This adds a powerful governance and automation layer to these services opening the door for onboarding, offboarding and access recertification using OpenUnison’s light-weight automation.

IDPInitiated sign-on with Azure AD - The new control plane - Medium


In addition to the new provisioning targets, we also added support for verifying JSON Web Tokens directly via the OAuth2 discovery endpoint specification making it easier to integrate our identity APIs into existing cloud native environments.

Finally, we added support for DUO authentication as an add-on in 1.0.17. We integrated it directly into our source base for 1.0.18 as a first class option for authentication!

Security

Snyk.io Results

We’ve talked about how we already make sure to keep our libraries up to date with each release and how we update our containers whenever a dependency with a known CVE is patched.  Starting with 1.0.18 we’ve integrated Snyk.io into our development process with the goal of getting not only our direct dependencies patched, but also the dependencies of dependencies patched.  We were able to do it using both our integration with Snyk.io’s service, but also our extensive testing process we use for each release.  To get to zero known vulnerabilities, we had to override versions of popular libraries needed by the libraries we reference directly.  We couldn’t do that without being confident that doing so wouldn’t break OpenUnison’s functionality.  The combination of knowing which libraries have known issues and the ability to integrate patched versions confidently is pretty amazing for commercial software and we’re proud we’re able to accomplish it!

Bringing it all together

This is one of our biggest feature releases to date!  Take a look at our solutions pages to see how Tremolo Security can help and stay turned for tutorials and blog posts in the coming weeks about how you can use these great features in your project!


Related Posts

June 13, 2022
Using Okta with Kubernetes
Combine OpenUnison and Okta for a simple and powerful access solution for Kubernetes. Combine CLI access and the dashboard to provide a unified login system for your Kubernetes clusters and control access using Okta groups.
Cloud Native
June 13, 2022
Amazon EKS and OIDC
Amazon EKS now supports OpenID Connect! This post will take you through the setup and configuration of integrating your cluster with Okta and OpenUnison.
Cloud Native
February 15, 2021
Pipelines and Kubernetes Authentication
Don't use ServiceAccount tokens in your external pipelines. Learn why you shouldn't use ServiceAccount tokens and how to properly authenticate your pipelines to your Kubernetes cluster.
Cloud Native
September 1, 2020
Building a Developer Portal
Integrate the applications that manage your cluster, like ArgoCD, into your OpenUnison deployment to give your developers and admins a central portal for accessing those applications.
Cloud Native
August 24, 2020
Building a Multi Cluster Authentication Portal
Quickly build a multi-cluster authentication portal for all your clusters, both on-premises and managed in the cloud. In this blog post we'll walk you through creating an authentication portal for accessing all your clusters and dashboards from a single site.
Cloud Native
July 21, 2020
Kubectl without Configuration Files
Login to your clusters with no upfront configuration!
Cloud Native
May 5, 2020
Multi-tenant Amazon EKS - The Easy Way - Part I: Authentication
Use Active Directory to login to your Amazon EKS clusters and use AD groups to authorize access to your cluster.
Cloud Native
April 21, 2020
Kubernetes Impersonation, DUO, Okta, and AzureAD in OpenUnison 1.0.18
New features in OpenUnison 1.0.18 - Kubernetes Impersonation, Prometheus metrics, Okta and AzureAD support.
Cloud Native
March 3, 2021
Kubernetes and Active Directory with Canonical
Use OopenUnison to integration Active Directory and Cononical's Kubernetes Distribution!
Cloud Native
April 12, 2020
Beyond RBAC in OpenShift – Open Policy Agent
Cloud Native
February 21, 2020
Automate OpenShift Identity Management and Project Deployment with Unison 1.0.10
Cloud Native
February 21, 2020
Containers are (Not) Doomed Because of Dirty Cow, and Why Identity Management is Important For Mitigation
Cloud Native
April 13, 2020
Unison 1.0.8 Available
Cloud Native
February 24, 2020
Kubernetes on Raspberry Pi II – Networking
Cloud Native
February 24, 2020
Building an Identity Enabled Kubernetes Cluster on Raspberry Pi
Cloud Native
February 24, 2020
Missed Google DevFestDC? Here’s My Talk on Kubernetes Identity Management
Cloud Native
February 24, 2020
Kubernetes Identity Management Part II – RBAC and User Provisioning
Cloud Native
March 20, 2020
Open Source Identity Manager for Red Hat Identity Management and FreeIPA
Cloud Native
April 12, 2020
Kubernetes Identity Management - Part I : SSO
Cloud Native
April 12, 2020
Details on our OpenShift Demo
Cloud Native
June 2, 2020
Multi-tenant Amazon EKS The Easy Way - Part II : Provisioning Namespaces
Automate the creation of namespaces and on-boarding of users for EKS with a self-service portal that takes administrators out of user management.
Cloud Native
December 14, 2020
Is Kubernetes Multi-Tenant?
Building a multi-tenant cluster will lead to better experience for your customers and an overall more secure platform. In this blog post learn why Kubernetes is an important part of a multi-tenant platform.
Cloud Native
January 5, 2021
OpenUnison Operator 2.0, New Helm Charts, and Portal Updates
OpenUnison includes better support for long term management, NetworkPolicies, and more!
Cloud Native
April 13, 2021
Secure Access to Kubernetes From Your Pipeline
Secure access to Kubernetes from your pipelines without a third party identity provider
Cloud Native
March 21, 2022
What the NSA and CISA Left Out of Their Kubernetes Hardening Guide
See what the NSA and CISA left out of their Kubernetes hardening guide for authentication and authorization!
Cloud Native
view all
solutions For
PRODUCTS
resources
company
contact
Enterprise Applications
OpenUnison
Blog
About Us
Contact Us
Customer Identity Access Management
Orchestra
Client Portal
Leadership
Receive Email Updates
free demo
OpenShift
Downloads
MyVirtualDirectory
Infrastructure & DevOps
Documentation
Content
Kubernetes
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

CALL

Phone. +1 703 844 2727

CONNECT

Drop us a line

ADDRESS

5810 Kingstowne Center Dr
STE #120-427
Alexandria, VA 22315

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form
(c) 2020 Tremolo Security, Inc. All rights reserved.
|
|
Connect with US
(c) 2020 Tremolo Security, Inc. All rights reserved.
Privacy
terms & conditions
Sign up for Tremolo emails and  content updates
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.