Authentication

MKE uses Dex for authentication. Dex serves as a proxy between your MKE cluster and your authentication providers, combining the configuration of multiple authentication providers into a single configuration while also handling the complexity of the various protocols.

Mirantis Kubernetes Engine (MKE) supports the following authentication protocols:

  • OpenID Connect (OIDC)
  • Security Assertion Markup Language (SAML)
  • Lightweight Directory Access Protocol (LDAP)

Prerequisites

You must have certain dependencies in place before you can configure authentication. These dependencies differ, depending on which authentication protocol you choose to deploy.

  • Identity Provider (IdP): To use OIDC or SAML, you must configure an identity provider. For examples of how to use Okta as an authentication service provider for either of these protocols, refer to OIDC or SAML.

  • LDAP Server: To use LDAP, you must have an LDAP server configured. A setup example for an OpenLDAP server is available at LDAP.

Configuration

You configure authentication for MKE through the authentication section of the MKE configuration file.

Authentication is always enabled, however, the settings for each of the individual authentication protocols are disabled. To enable and install an authentication protocol, set its enabled configuration option to true.

authentication:
  ldap:
    enabled: false
  oidc:
    enabled: false
  saml:
    enabled: false

Set Expiration

You can use the expiry section of the configuration file to set the expiration time for refresh and id tokens, in the format of number + time unit format. For example, 1h to designate one hour.

authentication:
  expiry:
    refreshTokens: {}

The following table shows all of the available fields for the expiry section.

FieldDescription
expirySection for the various expiry settings.
expiry.idTokensLifetime of the ID tokens.
expiry.authRequestsTime frame that a code can be exchanged for a token.
expiry.deviceRequestsTime frame in which users can authorize a device to receive a token.
expiry.signingKeysTime period after which the signing keys are rotated.
expiry.refreshTokensSection for the various refresh token settings.
expiry.refreshTokens.validIfNotUsedForInvalidate a refresh token if it is not used for the specified time.
expiry.refreshTokens.absoluteLifetimeAbsolute time frame of a refresh token.
expiry.refreshTokens.disableRotationDisable every-request rotation.
expiry.refreshTokens.reuseIntervalInterval for obtaining the same refresh token from the refresh endpoint.

Unsupported functions

Authentication functions that are not supported in MKE 4 include:

  • OIDC proxies
  • SAML proxies
  • LDAP disablement of referral chasing
  • LDAP JIT provisioning
  • LDAP SAML logins
  • LDAP simple pagination
  • LDAP user sync
  • MFA (Multi-Factor Authentication)
Last updated on