Authentication needs more details #761
Comments
|
which part do you struggle with? I am not very familiar with azure. I tried a bit and it worked with this: ui:
openIDConnect:
enabled: true
discoveryUrl: https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
callbackUrl: http://localhost:8082/callback
clientId: 31adb89f-1162-404b-... # clientId
clientSecret: <generated client secret> # certificate & secrets -> new client secret key
groupClaim: "groups"Steps I did in azure:
When you configure access control with your Azure groups be aware that azure adds the roles with there IDs ui:
customBoards:
- name: Infrastructure
namespaces:
selector:
team: infra
accessControl:
groups: [92ae7bb0-1720-4794-a47d-997bc000460c]
|
|
I will try to improve the documentation over time but its a bit much to provide examples for all common OpenIDConnect clients. |
|
Thanks a lot for reply.
Thanks for clarifying, it works now. The issue now is:
How can I allow Infrastructure team to see only their reports (authorization)
V2 
V3 
|
With a list of policy names?
https://kyverno.github.io/policy-reporter-docs/policy-reporter/report-processing.html#source-filter It automatically skips all reports for Pod resurces if they are owned by a controller resource. This reduces duplication of information because kyverno generates in most cases duplicated reports for e.g. deployments, replicasets and pods. If you do not have pods without a controller, it will not show any Pod report or filter.
|
|
As Admin, I would like to see everything, but for developers, I would like that each team can see only their namespaces
|
|
filter namespaces is possible. As documented you can use a fixed list of namespaces or labels to select them. In the example namspaces are selected via labels: namespaces:
selector:
team: infra |
|
Yeah, but they will still see everything 
Yes, Both lists are from the same cluster
|
|
You can add accessControl to all default boards (currently not per board). This will hide these boards for your e.g. infra team: ui:
boards:
accessControl:
groups: ['admin'] |
|
It does not work, and concerning the groups you told me above
Did you test it? a screenshot can perhaps help Thanks |
|
Sorry, I found an issue in the Helm Chart, which did not map the boards configuration into the UI config. I tested it in my local setup, which worked. Preparing a fix for it. |
|
Thanks a lot. My hope is that developers could see only their custom borads and not the icons below 
And for your question
Yes, Both lists are from the same cluster |
|
You can update to helm chart version Could you provide a screen of the result of kubectl get cpol -o wide |
Do the missing policies provide any results? Could be the case that policies which do not produce any result are not shown in this list. Will see if I can improve this when the kyverno plugin is used. |
|
Are you sure that 3.0.3 is published |
|
Can you please check again? The publish action failed |
|
The same thing, there is only version 3.0.0 |
|
This is the underlaying chart repo: https://kyverno.github.io/policy-reporter/index.yaml As you see the latest item is Helm Chart Version 3.0.3 / App Version: 3.0.0 ➜ policy-reporter git:(main) helm search repo policy-reporter
NAME CHART VERSION APP VERSION DESCRIPTION
policy-reporter/policy-reporter 3.0.3 3.0.0 Policy Reporter watches for PolicyReport Resour... |
|
It was an issue with cache, now I got chart version 3.0.3 Now looks better with customBoards, so now i can assign customBoards to developers based on groups. Thanks a lot but Boards does not work as expected, Im not sure about the group name admin, where should I configure the admin group in the App or how? I got 
|
|
The |
|
I added then I could see all my policies another issue is when I try to use secretRef to authenticate, the secret get not mounted into the deployment and I already opened a PR for it #771 |
|
I just released a new Helm Chart version which should display your policies in the list even if they don't produce a result. This is not how secretRefs working. They don't need to be attached to the deployment. They are fetched at runtime. See https://github.com/kyverno/policy-reporter-ui/blob/main/backend/pkg/kubernetes/secrets/client.go#L35 for the expected keys of the secret |
|
https://kyverno.github.io/policy-reporter-docs/policy-reporter-ui/authentication.html has examples under "helm + secretRefs". |
Hello,
I'd like to request the documentation in details how to setup authentication as It's not clear how to setup it in the official page.
As a good example, see https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/microsoft/#entra-id-app-registration-auth-using-oidc
If you could give an example how we could implement the authentication on azure using openidConnect and allow specifc Group to see only x customBoard would be great (Actually I implemented it but I cannot split the boards and implement the authorization)
Another issue that I got is when I add accessControl to customBoards, the customBoard does not appear in the UI?
Thanks
The text was updated successfully, but these errors were encountered: