Replies: 4 comments
-
|
Talos API doesn't provide support this on its own, as you need Talos API to troubleshoot and resolve issues with the machine, so there should never be a possibility that auth doesn't work due to a misconfiguration. You can build a layer on top of Talos API which provides this feature, by either proxying Talos API and protecting it with the authz/authn of your choice, or issue short-lived certs for Talos API. But you can as well use [Omni](https://github.com/siderolabs/omni] which provides this feature, and tons of other features on top of it, including same level of access to Kubernetes API, automated upgrades, configuration management, scaling up/down, etcd management, etc. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, Omni sounds really interesting for that but its yet another level of integration and requires licenses for production. It has some dependency that makes its evaluation rather difficult in high security air-gap model because they need to be evaluated/configured. However it would still be cool to have a way to configure this on Talos API directly as right now its impossible to have nominative access on one of the lowest level of the OS. Thanks anyway for the fast feedback, really appreciated! |
Beta Was this translation helpful? Give feedback.
-
|
Not to discount your concerns, but Omni is under the BUSL, so you are free to download and deploy it in an air gap environment for testing, dev or non-production use. |
Beta Was this translation helpful? Give feedback.
-
|
I've limited resources and adding all the requirements I need to have Omni working in airgap puts this project at another level for me, internal complexities and politics... I close this question as I guess there isn't much to add for now. 😄 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
I would like to use Talos in a secured environment that would require to connect the api to an auth backend such as ldap or openid/saml.
I can find some documentation how to do this on kube api using the extra arg
I can find some documentation about rbac within talos api
I cannot find anything regarding using those roles with a ldap/openid/saml backend, whereas a product like Omni put it as a main requirement for self hosting.
Am I missing something? Is there a way to do it with Talos API?
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions