Authentication/OIDC
Fine-grained access control is a continuous work in progress.
Unbind OIDC Server
Unbind has an in-house built OIDC server that is used to authenticate requests to the Unbind API.
The server is Built using go-oauth2
Dex Identity Provider
Dex is an identity service that uses OpenID Connect to authenticate users.
Unbind’s OIDC server is connected to dex as a “provider”, the primary place of Dex in Unbind’s architecture is to act as a “broker” for other identity providers in the future (such as Google, Github, or any LDAP server).
Kubernetes RBAC
Kubernetes has its own role-based access control system, which is used to control access to the Kubernetes API and resources.
Unbind directly syncs its own user permissions with the Kubernetes API, so that individual users and groups can be assigned specific namespace-scoped roles.
The mechanism this works is through kube-oidc-proxy, which is a reverse proxy that authenticates users using OIDC to the Kubernetes API server.