As Konvoy is based on Kubernetes, it uses Kubernetes security mechanisms. This includes role-based access control (RBAC) for determining which resources a user can access.
Users are identified through an OpenID Connect interface, which supports login using multiple connectors, including GitHub, Google, and LDAP.
kubectl to access the Kubernetes cluster, obtain a token from the web landing page, by selecting
Generate Kubectl Token.
Select an identity provider and cluster.
As many of the backends provide single-sign on (SSO), you may already be signed in.
Otherwise, you will be redirected to your identity provider’s web page to login.
Once you have signed in, a page will show the commands required to configure
kubectl to access the Konvoy cluster.
When the token expires, it is necessary to repeat the above process to obtain a fresh token.
When refreshing a token, only the
kubectl config set-credentials command needs to be executed with the new token.
The cluster operator gets initial access using the username and password provided after running
konvoy up or, for a running cluster,
konvoy get ops-portal.
To use these credentials, select
Log in with Email.
This same username and password provides access to the Ops Portal, including multiple dashboards for management of the cluster.
Only these credentials provide access to the Ops Portal. Adding additional Ops Portal users may be provided in a future release.
Adding login connectors
Konvoy uses Dex to provide OpenID Connect single sign-on to the cluster.
Dex can be configured to use multiple connectors, including GitHub, LDAP, and SAML 2.0.
The Dex Connector documentation describes how to configure different connectors.
The configuration can be added as the
values field in the
Examples of tested configurations are described in the External Providers section.