We are bringing the best of Tectonic to Red Hat OpenShift to build the most secure, hybrid Kubernetes application platform.
Tectonic Identity authenticates clients, such as kubectl
and Tectonic Console, for access to the Kubernetes API and, through it, to Tectonic cluster services. All Tectonic clusters use Role-Based Access Control (RBAC) to govern access to cluster services. Tectonic Identity authenticates a user's identity, and RBAC enforces authorization based on that identity. Tectonic Identity can map cluster RBAC bindings to an existing LDAP (Lightweight Directory Access Protocol) system over a secure channel.
Configure Tectonic Identity to map to your existing LDAP service, to enable user authentication for defined users and groups.
Tectonic Identity is configured through the Tectonic Console to allow for LDAP user authentication. The following information is required to integrate with an LDAP server:
Use Tectonic Console to enable LDAP authentication in your cluster:
Go to Administration > Cluster Settings, and click LDAP
In the LDAP window that opens, enter your host and the (optional) port of the LDAP server in the form host:port
, and select a verification option:
Click Continue to enter your LDAP Service Account username and password (obtained from your LDAP admin).
Click Continue to enter user search criteria:
(&(objectClass=person)(uid=<username>))
.objectClass
of person.(&(objectClass=group)(member=<user uid>))
.objectClass
of groupOfNames.member: cn=john,dc=example,dc=org
in the LDAP directory, are using the Distinguished Name (DN) attribute.Click Continue to enter a test Username and Password, then click Test Configuration to verify that users and groups are correctly configured.
When confirmed, click Continue, and follow the instructions to backup the existing, then apply the new configuration to the cluster.
First, click Download Existing Config to download a backup of the existing configuration.
Then, click Download New Config to download the new configuration YAML file.
Run kubectl apply
to apply the new configuration:
kubectl apply -f path/to/config/file/new-tectonic-config.yaml
Finally, trigger a rolling update of the Identity pods, which will read the new configuration:
kubectl patch deployment tectonic-identity \
--patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"date\":\"`date +'%s'`\"}}}}}" \
--namespace tectonic-system
If successful the following message is displayed:
"tectonic-identity" patched
To use kubectl
as an LDAP user:
KUBECONFIG
environment variable to the kubectl configuration file. For example:export KUBECONFIG=~/Download/kubectl-config
Until otherwise modified, use your static account for further administrative setup.
The following examples demonstrate mapping LDAP schema to Tectonic Identity configurations.
User LDAP schema:
dn: cn=john,dc=people,dc=example,dc=org
objectClass: person
cn: jane
email: jane.doe@example.com
dn: cn=developers,dc=groups,dc=example,dc=org
objectClass: group
cn: developers
member: jane
Corresponding Tectonic Identity config, in which the cn
of the user is matched with the member
field of the group:
userAttr: cn
memberAttr: member
Group LDAP schema:
dn: cn=john,dc=people,dc=example,dc=org
objectClass: person
cn: jane
email: jane.doe@example.com
memberOf: cn=developers,dc=groups,dc=example,dc=org
dn: cn=developers,dc=groups,dc=example,dc=org
objectClass: group
cn: developers
Corresponding Tectonic Identity config, in which the memberOf
attribute of the user is matched with the dn
field of the group:
userAttr: memberOf
memberAttr: dn