Think about authentication and identity management

[sebgoa]

We need to think about authentication for this.

The k8s dashboard might give us some ideas.

The coreOS dex project might be useful as well.

[sebgoa]

Does it make sense to use Auth0

[remstos]

For which part would you need authentication?

[sebgoa]

That's the bit I am not sure yet:

• I think the UI should be tied to the k8s cluster auth (so for instance if we were using coreOS dex, we could use social login in the k8s cluster and same in kubeless UI). then with RBAC setup in k8s, folks would only deploy functions where they are allowed to. But forcing folks to deploy Dex might be too much.
• the functions themselves will need some type of auth, but that's not really a UI issue.

If we were to use Auth0 for auth/authz to the UI, I think (current understanding of Auth0) that we would be tied to a single application. All users of kubeless (as in worldwide on different clusters) would authenticate via the same Auth0 app.

[serverlessnomad]

I would also advocate for adding authentication. I deployed the UI after standing up a cluster via Stackpoint only to find it open to the world and having to take it down. I'll be looking for an alternative way to leverage the UI because I like the utility of it, bit having some auth in front would be good. Is the expectation that the UI sits only on an internal network and would never be accessed over the Internet?

[sebgoa]

The problem is that to create a function through the UI, one needs to pass its k8s creds somehow otherwise the service account running the UI needs "cluster wide" access.

This is the same issue as the k8s dashboard

[sebgoa]

Godo wiki doc here: https://github.com/kubernetes/dashboard/wiki/Access-control

[thoughtentity]

Definitely, would like to see Open ID Connect support. It is one of the natively supported authentication strategies in Kubernetes that supports external identity provider logins (Auth0, Google and GitHub among others). Kubernetes's Dashboard is tacking support in kubernetes/dashboard#2353, however, they're waiting for some APIs to land in Core in order to query the configured authentication strategies in Kubernetes.

As far as being secure out of the box. I'd recommend changeing the service type to ClusterIP and just using kubectl proxy to open a secure channel into the cluster. Then access kubeless-ui using the service proxy URL over localhost:8001 (http://localhost:8001/api/v1/proxy/namespaces/kubeless/services/ui:ui-port/). The Kubernetes Dashboard uses a similar strategy.

[sebgoa]

@thoughtentity yes good points.

We are actually re-writing a kubeless UI in kubeapps: https://github.com/kubeapps/kubeapps . the dashboard is indeed opened via a proxy connection, plus we are starting to align with the k8s dashboard auth strategies:

vmware-tanzu/kubeapps#199

PR welcome on any projects to move in the right direction :)