Integrated Authentication allows Rackspace to configure clusters to connect and authenticate against customer-provided Identity Services, such as ones that use Security Assertion Markup Language (SAML), Lightweight Directory Access Protocol (LDAP), and so on. Examples of configurable Identity backends include Okta, Ping, and ADFS.
Using Integrated Authentication enables users to authenticate to Rackspace managed services by using a customer identity from a centralized service.
The Kubernetes Access Manager (KAM) is a custom Rackspace component through
which you get secure, cloud-idiomatic access to the
KAM is a component of Integrated Authentication that provides temporary
access credentials and kubeconfig files for the cluster. These resources
allow your users to retrieve Kubernetes credentials automatically through a
secure portal that leverages their Identity Provider credentials. The user
must already be a member of the
cluster-admin group that is defined in
your Identity Provider to get credentials for the cluster.
Customers must set up and define the
within their Identity Providers themselves. Rackspace cannot assist
with this process.
To access KAM for your cluster on RPCO, access the following URL, substituting your cluster name and DNS domain:
To access KAM for your cluster on EKS, access the following URL, substituting your cluster name and DNS domain:
With EKS, KAM uses the AWS Identity and Access Management (AIM) system add-on,
kube-to-AIM, to take advantage of the built-in Role-based Access
Controller (RBAC) system to scope access to users and roles. If EKS users try
to use a managed service without the appropriate authorization, they get an
error. KAM, in an EKS cluster, scopes the services to the user roles in AIM.
With RPCO, anyone with access to the cluster automatically has access to all the services on the cluster.
When you go to the KAM portal for your cluster, a login prompt displays for your company's Identity Provider, such as Keystone for RPCO, by using your corporate credentials. The Identity Provider then returns the list of the cluster-admin groups of which you are a member.
After you log in, choose the group for which you need credentials and click GET CREDENTIALS.
If you are not a member of the admin group for the cluster, as soon as you log in to KAM you get an authentication error saying that you are not a member of any groups for the cluster. Ask your Identity Provider to add you to the group if you need access.
If you are a member of a group, the credentials display in the form of
a kubeconfig file that you can use to run
kubectl commands on the
kubectl uses the contents of the kubeconfig file to
authenticate the specified user by using the specified authentication method.
Copy the credentials and paste them into a new kubeconfig file for your cluster. If you have an existing kubeconfig file, replace the contents with the new credentials. You should store the file in your home directory, such as ~/.kube/rackspace/kubeconfig. You might need to create this path.
Use the following structure to specify the kubeconfig file
to use for your
kubectl commands, replacing the kubeconfig filename
with the one that you created, the namespace with your namespace,
and the command with the operation you want to perform:
kubectl --kubeconfig=yourkubeconfigfile -n yournamespace kubectl-command
You can also run the following command to set the KUBECONFIG
environment variable with the config file name so that you don't
need to specify it in each
$ export KUBECONFIG=~/.kube/rackspace/kubeconfig
Rackspace uses Dex as an Identity Service to connect the customer identity to Rackspace Managed Services and KAM. Dex is an Identity Service that uses OpenID Connect to drive authentication for other applications.
There are currently no specific implementation details for KAM or Dex.