Kubernetes Authentication
The authentication process in Kubernetes relies on KubernetesAuthProviders
--
which are not the same as the application's auth providers. the default
providers are defined in
plugins/kubernetes-react/src/kubernetes-auth-provider/KubernetesAuthProviders.ts
;
you can add custom providers there if needed.
These providers are configured so your Kubernetes plugin can locate and access the clusters you have access to, some of them have special requirements in the third party in question, like Microsoft Entra ID (formerly Azure Active Directory) subscription or Azure RBAC support active on the cluster.
The providers currently available are summarized below:
Server Side Providers
These providers authenticate your application with the cluster, meaning anyone that is logged in into your Backstage app will be granted the same access to Kubernetes objects, including guest users.
The server side providers are:
aws
azure
googleServiceAccount
localKubectlProxy
serviceAccount
AWS
For AWS, in addition to Kubernetes configuration, you will have to set up AWS authentication. The AWS server-side authentication provider uses AWS Identity and Access Management (IAM) to authenticate to the target Account(s); you can read more about it on the page for the Integration AWS node.
Using the plugin, you can authenticate to several AWS accounts using either static AWS Access keys or short-lived Access keys generated by assuming a role, for either case you will need to install the AWS CLI utility and set it up following the steps in the linked documentation.
If you have generated static AWS security credentials, the configuration block for AWS will look like this:
aws:
mainAccount:
accounts:
- accountId: '<account-number>'
accessKeyId: ${AWS_ACCESS_KEY_ID}
secretAccessKey: ${AWS_SECRET_ACCESS_KEY}
region: <region>
accountDefaults:
If your environment is set up to assume a role, the configuration would instead look like this:
aws:
mainAccount:
roleName: <name-of-the-role-to-assume>
region: <region>
accounts:
accountDefaults:
Either of these sections needs to be present for the Kubernetes configuration to
use the aws
authProvider
. The Kubernetes configuration looks like this:
kubernetes:
serviceLocatorMethod:
type: 'multiTenant'
clusterLocatorMethods:
- type: 'config'
clusters:
- url: https://<unique-identifier>.<region>.eks.amazonaws.com
name: ${CLUSTER_NAME_TO_DISPLAY}
authProvider: 'aws'
caData: ${EKS_CA_DATA}
authMetadata:
kubernetes.io/aws-assume-role: ${ROLE_ARN_TO_ASSUME}
kubernetes.io/aws-external-id: ${ID_FROM_AWS_ADMIN}
kubernetes.io/x-k8s-aws-id: ${CLUSTER_NAME_IN_AWS_CONSOLE}
You get both the cluster URL and CA directly from the AWS console by going to
EKS
> Your cluster
> Overview
> Details
. You will find them under 'API
server endpoint' and 'Certificate authority' respectively.
If Backstage needs to assume a role when authenticating with EKS clusters, the
kubernetes.io/aws-assume-role
parameter can be set to the ARN of the desired
role. the kubernetes.io/aws-external-id
parameter in the config corresponds to
the ExternalId
parameter of the AssumeRole
API in STS.
Azure
The Azure provider works by authenticating on the server with the Azure CLI, please note that Microsoft Entra authentication is a requirement and has to be enabled in your AKS cluster, then follow these steps:
- Install the Azure CLI in the environment where the backstage application will run.
- Login with your Azure/Microsoft account with
az login
in the server's terminal. - Go to your AKS cluster's resource page in Azure Console and follow the steps
in the
Connect
tab to set the subscription and get your credentials forkubectl
integration. - Configure your cluster to use the
azure
auth provider like this:
kubernetes:
clusterLocatorMethods:
- type: 'config'
clusters:
- name: My AKS cluster
url: ${AZURE_CLUSTER_API_SERVER_ADDRESS}
authProvider: azure
skipTLSVerify: true
To get the API server address for your Azure cluster, go to the Azure console
page for the cluster resource, go to Overview
> Properties
tab >
Networking
section and copy paste the API server address directly in that
url
field.
Client Side Providers
These providers authenticate a user with the cluster. Each Backstage user will
be prompted for credentials and will have access to the clusters as long as the
user has been authorized to access said cluster. If Backstage is configured to
communicate with a cluster but the user isn't authorized to access it, they will
see the cluster listed but will not see any resources in the plugin page for
that cluster. The error will show as 401
or similar.
The providers available as client side are:
aks
google
oidc