Github Authenticator

Guard installation guide can be found here. To use Github, you need a client cert with CommonName set to Github organization name and Organization set to Github. To ease this process, use the Guard cli to issue a client cert/key pair.

$ guard init client {common-name} -o Github

Deploy Guard Server

To generate installer YAMLs for guard server you can use the following command.

$ guard get installer \
    --auth-providers="github" \
    > installer.yaml

$ kubectl apply -f installer.yaml

Additional flags for github:

# Base url for enterprise, keep empty to use default github base url
--github.base-url=<base_url>

Issue Token

To use Github authentication, you can use your personal access token with permission to read:org. You can use the following command to issue a token:

$ guard get token -o github

github-token

Guard uses the token found in TokenReview request object to read user’s profile information and list of teams this user is member of. In the TokenReview response, status.user.username is set to user’s Github login, status.user.groups is set to teams of the organization in client cert of which this user is a member of.

github-webhook-flow

{
  "apiVersion": "authentication.k8s.io/v1",
  "kind": "TokenReview",
  "status": {
    "authenticated": true,
    "user": {
      "username": "<github-login>",
      "uid": "<github-id>",
      "groups": [
        "<team-1>",
        "<team-2>"
      ]
    }
  }
}

Configure Kubectl

kubectl config set-credentials <user_name> --token=<token>

Or You can add user in .kube/confg file

...
users:
- name: <user_name>
  user:
    token: <token>
$ kubectl get pods --all-namespaces --user <user_name>
NAMESPACE     NAME                               READY     STATUS    RESTARTS   AGE
kube-system   etcd-minikube                      1/1       Running   0          7h
kube-system   kube-addon-manager-minikube        1/1       Running   0          7h
kube-system   kube-apiserver-minikube            1/1       Running   1          7h
kube-system   kube-controller-manager-minikube   1/1       Running   0          7h
kube-system   kube-dns-6f4fd4bdf-f7csh           3/3       Running   0          7h