From 19377ff98bf7e6441ab77cec687a09d3c0d74b83 Mon Sep 17 00:00:00 2001 From: Kevin McDermott Date: Fri, 6 Oct 2023 16:04:44 +0100 Subject: [PATCH] Add document on anonymous access. (#4034) This adds a page on setting up anonymous access. --- website/docs/guides/anonymous-access.mdx | 71 ++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 website/docs/guides/anonymous-access.mdx diff --git a/website/docs/guides/anonymous-access.mdx b/website/docs/guides/anonymous-access.mdx new file mode 100644 index 0000000000..8427ed239d --- /dev/null +++ b/website/docs/guides/anonymous-access.mdx @@ -0,0 +1,71 @@ +--- +title: Anonymous Access +--- + +:::danger Important +Alone, this is an **insecure** method of securing your dashboard. + +It is designed to be used with other external authentication systems like auth proxies. +::: + +## Configuring Anonymous access + +Set the following values in the [Helm Chart](../references/helm-reference.md): + +```yaml +# +additionalArgs: +- --insecure-no-authentication-user=gitops-test-user +# +``` + +The value of the `--insecure-no-authentication-user` flag is the kubernetes `User` to be impersonated to make requests into the cluster. + +When this flag is set all other authentication methods (e.g. those specified via `--auth-methods`) are disabled. + +No login screen will be displayed when accessing the dashboard. + +## Example ClusterRole + +You can bind the user provided to a ClusterRole with a ClusterRoleBinding. + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: minimum-weavegitops-role +rules: +- apiGroups: [""] + resources: ["secrets","pods","events"] + verbs: ["get","list"] +- apiGroups: ["apps"] + resources: ["deployments", "replicasets"] + verbs: ["get","list"] +- apiGroups: ["kustomize.toolkit.fluxcd.io"] + resources: ["kustomizations"] + verbs: ["get","list"] +- apiGroups: ["helm.toolkit.fluxcd.io"] + resources: ["helmreleases"] + verbs: ["get","list"] +- apiGroups: ["source.toolkit.fluxcd.io"] + resources: ["*"] + verbs: ["get","list"] +- apiGroups: [""] + resources: ["events"] + verbs: ["get","list","watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gitops-test-user-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: minimum-weavegitops-role +subjects: + - kind: User + name: gitops-test-user +``` + +This would allow access to any resource.