Skip to main content

SSO New Generation with Pomerium

Context

When your application does not support Authentication mechanism, a good practice is to expose it using a SSO layer.

In the past, k8saas provided a Built-in SSO to allow all Thales employees but the configuration was difficult to put in place:

  • 1 oauth proxy per URL
  • manual ticket to send to support to get credentials
  • redirect URL configuration is confused

K8SAAS has decided to propose a new generation of SSO that does not need a manual ticket and the deployment of an oauth proxy per URL.

This solution is based on Pomerium

img

Not supported for corporate-addon

Pomerium is not currently supported for corporate-addon clusters.

Use cases

  • After GoToDemo Gate, expose an application to user outside the development team without using a VPN
  • Protect few ingresses or URLs using a single mechanism
  • Authenticate users when accessing to static or simple application

What to do ?

Enable the feature

This feature is not yet deployed by default (because it's still an exploration at this stage).

To use this feature, you first need to send a request on the TrustNest K8SaaS Service catalog with the following info:

  • the name of your instance
  • ask for escalating the ticket to tdp-k8saas
  • ask to enable the SSO new generation

Use the feature

To use this SSO new generation, you just have to:

  • add the following ingress class name
  ingressClassName: pomerium
  • Precise the policy following the example:

Allow all thalesdigital.io:

    ingress.pomerium.io/policy: |
- allow:
or:
- domain:
is: thalesdigital.io

Allow specific users:

    ingress.pomerium.io/policy: |
- allow:
or:
- email:
is: toto.titi@thalesdigital.io

Allow specific Azure AD groups:

  1. retreive azure ad group objectId
az ad group show -g <my_group_name> --query "id" -otsv
  1. use id in group policy:
    ingress.pomerium.io/allowed_groups: |
- <id>

Manage User access with Azure Enterprise Application (special case)

Azure Active Directory provides a way to manage User Access using both oauth 2.0 and the Entreprise Application. The purpose of this section is to explain how to set up your SSL to do so.

Assignment required in AAD: First, you need to enforce the "Assignment required" configuration.

Go to your enterprise application using azure portal, and make sure your configuration follows:

img

Users and Groups in AAD: This configuration will reject the users that are not listed in the "Users and Groups" section

Then go to "Users and Groups" section and add the users and groups that you want to allow

Pomerium policy:

Simply add the following annotation to allow all logged users:

    ingress.pomerium.io/policy: |
- allow:
or:
- authenticated_user: true

Now, all users listed in the entreprise application can access to your k8saas application behind the SSO v2 !

Test with an example ingress:

Here is a test using an example ingress that exposes an Hello World application using Pomerium.

To follow this tutorial, please use the pomerium-helloworld folder from our Hello world repository.

First of all, deploy the hello-world application and associated service:

$ kubectl apply -f aks-helloworld-pomerium.yaml

Then, Let's take a look at the file pomerium-ingress.yaml :

apiVersion: networking.k8s.io/v1 #extensions/v1beta1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
ingress.pomerium.io/policy: |
- allow:
or:
- domain:
is: thalesdigital.io
name: httpserver-ingress
spec:
ingressClassName: pomerium
rules:
- host: hello-world-ingress.demo-pomerium.kaas.thalesdigital.io
http:
paths:
- backend:
service:
name: aks-helloworld-one
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- hello-world-ingress.demo-pomerium.kaas.thalesdigital.io
secretName: http-pomerium-test

It will deploy an ingress that will expose the hello world application using pomerium.

The important fields are:

  • spec.ingressClassName: the ingresssClass to use, for us it's pomerium
  • metadata.annotations.ingress.pomerium.io/policy: the pomerium policy for that ingress.

First we need to rename the ingress host and secret to your cluster name. Be sure to replace <YOUR_CLUSTER_NAME> by your cluster name when using the following commands:

$ sed -i'.bak' "s/hello-world-ingress.demo-pomerium.kaas.thalesdigital.io/hello-world-ingress.<YOUR_CLUSTER_NAME>.-pomerium.kaas.thalesdigital.io/g" pomerium-ingress.yaml

Deploy the ingress to your cluster:

$ kubectl apply -f ./pomerium-ingress.yaml

You can use the following command to watch the deployed ingress until a public IP is assigned to it:

$ k get ing -w
NAME CLASS HOSTS ADDRESS PORTS AGE
httpserver-ingress pomerium <YOUR_CLUSTER_NAME>.kaas.thalesdigital.io 20.11.111.111 80, 443 2m

After a few minutes, open the url https://<YOUR_CLUSTER_NAME>.kaas.thalesdigital.io and you can access the hello world page once signed in.

Delete the deploy resources:

$ kubectl delete -f aks-helloworld-pomerium.yaml
$ kubectl delete -f ./pomerium-ingress.yaml

Next step