-
Notifications
You must be signed in to change notification settings - Fork 157
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add document on anonymous access. (#4034)
This adds a page on setting up anonymous access.
- Loading branch information
Showing
1 changed file
with
71 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
--- | ||
title: Anonymous Access | ||
--- | ||
|
||
:::danger Important | ||
Alone, this is an **insecure** method of securing your dashboard. | ||
|
||
It is designed to be used with other external authentication systems like auth proxies. | ||
::: | ||
|
||
## Configuring Anonymous access | ||
|
||
Set the following values in the [Helm Chart](../references/helm-reference.md): | ||
|
||
```yaml | ||
# | ||
additionalArgs: | ||
- --insecure-no-authentication-user=gitops-test-user | ||
# | ||
``` | ||
|
||
The value of the `--insecure-no-authentication-user` flag is the kubernetes `User` to be impersonated to make requests into the cluster. | ||
|
||
When this flag is set all other authentication methods (e.g. those specified via `--auth-methods`) are disabled. | ||
|
||
No login screen will be displayed when accessing the dashboard. | ||
|
||
## Example ClusterRole | ||
|
||
You can bind the user provided to a ClusterRole with a ClusterRoleBinding. | ||
|
||
```yaml | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: minimum-weavegitops-role | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["secrets","pods","events"] | ||
verbs: ["get","list"] | ||
- apiGroups: ["apps"] | ||
resources: ["deployments", "replicasets"] | ||
verbs: ["get","list"] | ||
- apiGroups: ["kustomize.toolkit.fluxcd.io"] | ||
resources: ["kustomizations"] | ||
verbs: ["get","list"] | ||
- apiGroups: ["helm.toolkit.fluxcd.io"] | ||
resources: ["helmreleases"] | ||
verbs: ["get","list"] | ||
- apiGroups: ["source.toolkit.fluxcd.io"] | ||
resources: ["*"] | ||
verbs: ["get","list"] | ||
- apiGroups: [""] | ||
resources: ["events"] | ||
verbs: ["get","list","watch"] | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: gitops-test-user-binding | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: minimum-weavegitops-role | ||
subjects: | ||
- kind: User | ||
name: gitops-test-user | ||
``` | ||
This would allow access to any resource. |