Backyards leverages the Kubeconfig, the official client libraries and the Kubernetes API to perform authentication and authorization for its users.
If youโre allowed to add, edit or delete specific Istio custom resources, youโll have the same permissions from Backyards as well.
Overview ๐︎
The authentication flow consists of the following steps:
- The CLI extracts authentication credentials from the user’s Kubeconfig the same way
kubectl
would do - The CLI sends these credentials (client certificate or bearer token) to Backyards during the login process
- Backyards validates these credentials against the Kubernetes API Server (Backyards doesn’t store these credentials afterwards)
- Once the credentials are proved to be valid Backyards generates it’s own ID token (JWT) and encodes relevant user information in it
- The user - in possession of the ID token - can then use the token to authenticate against Backyards until it expires
- Backyards will send subsequent requests to the API server with impersonation headers set to the user’s name and groups to delegate Authorization entirely to Kubernetes
Try it out ๐︎
Dashboard ๐︎
backyards dashboard
When you open the dashboard through the recommended way of typing backyards dashboard
,
youโre seamlessly authenticated with your Kubeconfig, logged in automatically and redirected
to a browser tab with the Backyards Dashboard open.
Login ๐︎
backyards login
You can explicitly log in any time using the backyards login
command, which gives you a short lifetime (10s), encrypted token to use
over the UI login window.
Troubleshooting ๐︎
The ID token will be saved to the current context’s config to reuse for subsequent CLI commands for efficiency.
You can check or edit this config any time using the backyards config get
, backyards config edit
commands respectively.
Once the token expires (10h) the CLI performs a new login automatically within the next command.
If the token seems to be invalid for any reason you can always reauthenticate with the backyards login
command.
Anonymous mode ๐︎
Backyards provides a way to disable user authentication and use its own service account token for all communication with the Kubernetes API server.
Use the --anonymous-auth
flag of the install
command to disable authentication.
backyards install --anonymous-auth