{"id":32801,"date":"2018-05-03T20:24:39","date_gmt":"2018-05-03T17:24:39","guid":{"rendered":"https:\/\/www.altoros.com\/blog\/?p=32801"},"modified":"2019-04-08T21:05:02","modified_gmt":"2019-04-08T18:05:02","slug":"configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry","status":"publish","type":"post","link":"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/","title":{"rendered":"Configuring UAA to Provide a Single Entry Point for Kubernetes and Cloud Foundry"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_79_2 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#The_need_to_unify_authenticationauthorization\" >The need to unify authentication\/authorization<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#Built-in_authentication_options_for_Kubernetes\" >Built-in authentication options for Kubernetes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#Built-in_authorization_options_for_Kubernetes\" >Built-in authorization options for Kubernetes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#Configuring_OpenID_Connect_in_Kubernetes\" >Configuring OpenID Connect in Kubernetes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#Want_details_Watch_the_video\" >Want details? Watch the video!<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#Further_reading\" >Further reading<\/a><\/li><\/ul><\/nav><\/div>\n<h3><span class=\"ez-toc-section\" id=\"The_need_to_unify_authenticationauthorization\"><\/span>The need to unify authentication\/authorization<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Kubernetes is gaining in popularity in the Cloud Foundry ecosystem as developers explore hybrid deployment options. This trend brings up a new problem where multiple credentials are needed to sign on to the different platforms.<\/p>\n<p>Cloud Foundry makes use of its identity management service\u2014<a href=\"https:\/\/docs.cloudfoundry.org\/concepts\/architecture\/uaa.html\" rel=\"noopener noreferrer\" target=\"_blank\">User Account and Authentication<\/a> (UAA). Kubernetes has a bunch of built-in options for authentication \/ authorization, however, many of them still leave space for improvement.<\/p>\n<div id=\"attachment_32920\" style=\"width: 140px\" class=\"wp-caption alignright\"><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/andrei-krasnitski-icon.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-32920\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/andrei-krasnitski-icon.jpg\" alt=\"\" width=\"130\" class=\"size-full wp-image-32920\" \/><\/a><p id=\"caption-attachment-32920\" class=\"wp-caption-text\"><small>Andrei Krasnitski<\/small><\/p><\/div>\n<p>In this blog post, we overview how to configure OpenID Connect\u2014available through Cloud Foundry&#8217;s UAA\u2014to simplify authentication \/ authorization and enable better security in comparison to standard means within Kubernetes.<\/p>\n<p><a href=\"https:\/\/www.altoros.com\/blog\/author\/andrei-krasnitski\/\">Andrei Krasnitski<\/a>, Cloud Foundry engineer at Altoros, was a speaker during Day 3 of the <a href=\"https:\/\/www.altoros.com\/blog\/top-quotes-from-cloud-foundry-summit-north-america-2018\/\" rel=\"noopener noreferrer\" target=\"_blank\">Cloud Foundry Summit 2018<\/a> in Boston. He briefed attendees about the use of UAA in Kubernetes, as well as built-in options for authentication and authorization.<\/p>\n<p>First, one need to understand the difference between these two terms:<\/p>\n<ul>\n<li><strong>Authentication (AuthN)<\/strong> determines the identity of a user, a server, or a client.<\/li>\n<li><strong>Authorization (AuthZ)<\/strong> determines if a user, a server, or a client has permission to execute specific tasks.<\/li>\n<\/ul>\n<blockquote><p><em>&#8220;Authentication is the process, which determines who you are. Authorization determines whether a user is allowed to perform certain actions.&#8221; \u2014Andrei Krasnitski<\/em><\/p><\/blockquote>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-access-control-diagram-v2.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-access-control-diagram-v2.png\" alt=\"\" width=\"640\" class=\"aligncenter size-full wp-image-32851\" \/><\/a><small>How authentication and authorization flow in Kubernetes<\/small><\/center><\/p>\n<p>Authentication and authorization are used by operators through the <code style=\"color: #222222; background-color: #e6e6e6; padding: 1px 2px;\">kubectl<\/code> command-line tool, you can check out a <a href=\"https:\/\/www.altoros.com\/visuals\/kubernetes-kubectl-cli-cheat-sheet\/\">cheat sheet<\/a> featuring first-aid commands to use with the tool. They are also used in machine-to-machine communications for Kubernetes pods and control plane (API server, controller, scheduler, etc.)<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Built-in_authentication_options_for_Kubernetes\"><\/span>Built-in authentication options for Kubernetes<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The current build for Kubernetes already includes some methods for authentication. One of these methods involves using <a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/authentication\/#x509-client-certs\" rel=\"noopener noreferrer\" target=\"_blank\">X509 client certificates<\/a>. Based on his experience, Andrei noted that this solution was not ideal, since it meant &#8220;using only one certificate for all clusters.&#8221;<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-X509-v2.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-X509-v2.png\" alt=\"\" width=\"640\" class=\"aligncenter size-full wp-image-32852\" \/><\/a><small>An example of the X509 client certificate<\/small><\/center><\/p>\n<p><a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/authentication\/#static-password-file\" rel=\"noopener noreferrer\" target=\"_blank\">Static passwords<\/a> or <a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/authentication\/#static-token-file\" rel=\"noopener noreferrer\" target=\"_blank\">tokens<\/a> can also be used for authentication. &#8220;In Kubenetes case, these are CSV files stored somewhere in the file system,&#8221; explained Andrei. &#8220;These are not the best solutions, but can be good if you want to quickly spin up a server for testing.&#8221;<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-static-password-token-v2.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-static-password-token-v2.png\" alt=\"\" width=\"640\" class=\"aligncenter size-full wp-image-32853\" \/><\/a><small>An example of a static password \/ token<\/small><\/center><\/p>\n<p>Next up are <a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/authentication\/#service-account-tokens\" rel=\"noopener noreferrer\" target=\"_blank\">service accounts<\/a>, which are typically used for non-interactive workflows in Kubernetes. These can be manually created using the <code style=\"color: #222222; background-color: #e6e6e6; padding: 1px 2px;\">kubectl create serviceaccount (NAME)<\/code> command.<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-service-accounts-v2.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-service-accounts-v2.png\" alt=\"\" width=\"640\" class=\"aligncenter size-full wp-image-32854\" \/><\/a><small>An example of a service account<\/small><\/center><\/p>\n<p><a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/authentication\/#webhook-token-authentication\" rel=\"noopener noreferrer\" target=\"_blank\">Webhook tokens<\/a> are a relatively new method that enables external services to perform authentication actions against the Kubernetes cluster.<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-webhook-token-v2.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-webhook-token-v2.png\" alt=\"\" width=\"640\" class=\"aligncenter size-full wp-image-32855\" \/><\/a><small>A webhook token workflow<\/small><\/center><\/p>\n<p>The next method involves using <a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/authentication\/#openid-connect-tokens\" rel=\"noopener noreferrer\" target=\"_blank\">OpenID Connect<\/a>. For the purpose of configuring UAA for Kubernetes, this is the most important option as Andrei explained. OpenID Connect is an extension on top of the OAuth 2.0 protocol. Instead of the usual workflow on OAuth 2.0, it retrieves additional JSON tokens, which can be used for further authentication.<\/p>\n<blockquote><p><em>&#8220;The JSON web tokens contains information like a user e-mail, which is very common when you want to perform authentication against the cluster.&#8221; \u2014Andrei Krasnitski<\/em><\/p><\/blockquote>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-JWT-v2.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-JWT-v2.png\" alt=\"\" width=\"640\" class=\"aligncenter size-full wp-image-32856\" \/><\/a><small>JSON web tokens are encrypted into three parts<\/small><\/center><\/p>\n<p>Kubernetes does not offer any OpenID Connect identity providers out of the box. Kubernetes also has two major compatibility requirements:<\/p>\n<ul>\n<li><strong>Discovery<\/strong>. Identity providers should publish all metadata information on well-known URLs.<\/li>\n<li><strong>Security<\/strong>. Identity providers should always run in the Transport Layer Security mode.<\/li>\n<\/ul>\n<p>While there are existing identity providers, such as Google, Microsoft, Yahoo, PayPal, and Amazon, there are also self-hosted options like UAA for Cloud Foundry. UAA is an OpenID Connect identity provider, which be can used for a cluster. It&#8217;s basically an OAuth 2.0 server that can connect using SAML and LDAP. It also has APIs for user account management.<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-workflow-v2.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-workflow-v2.png\" alt=\"\" width=\"640\" class=\"aligncenter size-full wp-image-32857\" \/><\/a><small>OpenID Connect authentication workflow within Kubernetes<\/small><\/center><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Built-in_authorization_options_for_Kubernetes\"><\/span>Built-in authorization options for Kubernetes<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Once a user has finally been authenticated, it&#8217;s time to check whether or not a user has the permission to perform tasks. Similar to authentication, Kubernetes also has existing modules for authorization. <a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/abac\/\" rel=\"noopener noreferrer\" target=\"_blank\">Attribute-based access control<\/a> (ABAC) is one of these options.<\/p>\n<p>ABAC is stored the same way as static passwords and tokens but in a single JSON object per line format. You can specify users access to namespaces, resources, and so on.<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-ABAC-v2.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-ABAC-v2.png\" alt=\"\" width=\"640\" class=\"aligncenter size-full wp-image-32858\" \/><\/a><small>An example of an ABAC policy<\/small><\/center><\/p>\n<p>The next mode of authorization is <a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/rbac\/\" rel=\"noopener noreferrer\" target=\"_blank\">Role-based access control<\/a> (RBAC). &#8220;This is essentially just a collection of the roles,&#8221; commented Andrei. For example, you can have a developer role, which has one set of permission on the cluster and an administer role, which has full access. Roles are always allowed to work with an existing namespace, and cluster roles are applied cluster-wide.<\/p>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-RBAC-v2.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-RBAC-v2.png\" alt=\"\" width=\"640\" class=\"aligncenter size-full wp-image-32863\" \/><\/a><small>An example of a RBAC role<\/small><\/center><\/p>\n<p>Andrei also provided a side-by-side comparison of the two authorization methods.<\/p>\n<p><small><\/p>\n<table>\n<tbody>\n<tr>\n<td><center><small><strong>RBAC<\/strong><\/small><\/center><\/td>\n<td><center><small><strong>ABAC<\/strong><\/small><\/center><\/td>\n<\/tr>\n<tr>\n<td><small>Authorization policy changes can be made using the <code style=\"color: #222222; background-color: #e6e6e6; padding: 1px 2px;\">kubectl<\/code> command-line tool.<\/small><\/td>\n<td><small>Requires SSH and file system access on Kubernetes Master to make changes in the authorization policy file.<\/small><\/td>\n<\/tr>\n<tr>\n<td><small>Changes are applied on the fly.<\/small><\/td>\n<td><small>An operator must restart an API server to pick up a new policy.<\/small><\/td>\n<\/tr>\n<tr>\n<td><small>Authorization is managed by Kubernetes API.<\/small><\/td>\n<td><small>Authorization is managed by a user-configured local file.<\/small><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/small><\/p>\n<p>From this comparison, Andrei favored the use of RBAC as in comparison to ABAC it doesn&#8217;t require the API server to be restarted every time the policy files get updated.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Configuring_OpenID_Connect_in_Kubernetes\"><\/span>Configuring OpenID Connect in Kubernetes<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Next, Andrei explained how to set up OpenID Connect as it enables a single entry point for both Cloud Foundry and Kubernetes. One needs to configure the following flags on the API server:<\/p>\n<ul>\n<li><code style=\"color: #222222; background-color: #e6e6e6; padding: 1px 2px;\">--oidc-issuer-url=URL<\/code> identifies the URL of a provider, which allows the API server to discover public signing keys.<\/li>\n<li><code style=\"color: #222222; background-color: #e6e6e6; padding: 1px 2px;\">--oidc-client-id=ID<\/code> is the client ID for verifying signatures of the JSON web tokens.<\/li>\n<li><code style=\"color: #222222; background-color: #e6e6e6; padding: 1px 2px;\">--oidc-username-claim=email<\/code> specifies what -mail to use as a username.<\/li>\n<li><code style=\"color: #222222; background-color: #e6e6e6; padding: 1px 2px;\">--oidc-ca-file=\/k8s-ca.em<\/code> is the path for the certificate authority.<\/li>\n<\/ul>\n<p><center><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-kubo-release.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA-kubo-release.png\" alt=\"\" width=\"640\" class=\"aligncenter size-full wp-image-32877\" \/><\/a><small>Kubo-release users can use these commits instead<\/small><\/center><\/p>\n<p>Surely, the main reason for using OpenID Connect is that it provides a single authentication and authorization solution for both Cloud Foundry and Kubernetes. In addition, it is easily configured, includes a service discovery mechanism, and minimizes password security risks.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Want_details_Watch_the_video\"><\/span>Want details? Watch the video!<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td class=\"video-display-mobile\">\n<div style=\"float:right; width:50%; padding-left:15px; font-size:14px;\">\n<strong>Table of contents<\/strong><\/p>\n<ol>\n<li style=\"margin-bottom: 16px;\">What is Kubernetes? (1:40)<\/li>\n<li style=\"margin-bottom: 16px;\">What is the difference between authentication and authorization? (2:10)<\/li>\n<li style=\"margin-bottom: 16px;\">How does authentication and authorization work in Kubernetes? (4:00)<\/li>\n<li style=\"margin-bottom: 16px;\">Current strategies for authentication (5:41)<\/li>\n<li style=\"margin-bottom: 16px;\">What is OpenID Connect? (9:35)<\/li>\n<li style=\"margin-bottom: 16px;\">What is UAA? (12:50)<\/li>\n<li style=\"margin-bottom: 16px;\">Current strategies for authorization (14:50)<\/li>\n<li style=\"margin-bottom: 16px;\">Demo: Using OpenID Connect in Kubernetes (19:01)<\/li>\n<li style=\"margin-bottom: 16px;\">How is OpenID Connect configured in Kubernetes? (24:20)<\/li>\n<\/ol>\n<\/div>\n<div class=\"video-container\"><iframe loading=\"lazy\" title=\"UAA Authentication for Kubernetes - Andrei Krasnitski, Altoros\" width=\"1200\" height=\"675\" src=\"https:\/\/www.youtube.com\/embed\/S7uRi1MHHYw?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><small>These are the slides from the session.<\/small><\/p>\n<p><center><iframe loading=\"lazy\" src=\"\/\/www.slideshare.net\/slideshow\/embed_code\/key\/Vkay2XBaN2Uxp\" width=\"595\" height=\"485\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" style=\"border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;\" allowfullscreen> <\/iframe><\/center><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Further_reading\"><\/span>Further reading<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><a href=\"https:\/\/www.altoros.com\/visuals\/kubernetes-kubectl-cli-cheat-sheet\/\">Kubernetes kubectl CLI Cheat Sheet<\/a><\/li>\n<li><a href=\"https:\/\/www.altoros.com\/blog\/not-only-for-cloud-foundry-kubo-enables-kubernetes-deployments-with-bosh\/\">Kubo Enables Kubernetes Environments Managed by Cloud Foundry\u2019s BOSH<\/a><\/li>\n<li><a href=\"https:\/\/www.altoros.com\/blog\/evaluating-the-new-pivotal-container-service-for-kubernetes-clusters\/\">Evaluating Pivotal Container Service for Kubernetes Clusters<\/a><\/li>\n<\/ul>\n<hr\/>\n<p><center><small>The post is written by Carlo Gutierrez with assistance from Andrei Krasnitski and Sophie Turol.<\/small><\/center><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The need to unify authentication\/authorization<\/p>\n<p>Kubernetes is gaining in popularity in the Cloud Foundry ecosystem as developers explore hybrid deployment options. This trend brings up a new problem where multiple credentials are needed to sign on to the different platforms.<\/p>\n<p>Cloud Foundry makes use of its identity management service\u2014User Account and Authentication [&#8230;]<\/p>\n","protected":false},"author":130,"featured_media":32882,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":"","_links_to":"","_links_to_target":""},"categories":[214],"tags":[208,873,912,206],"class_list":["post-32801","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials","tag-cf-summit","tag-cloud-native","tag-kubernetes","tag-oss-cloud-foundry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Configuring UAA to Provide a Single Entry Point for Kubernetes and Cloud Foundry | Altoros<\/title>\n<meta name=\"description\" content=\"A part of the UAA service, OpenID Connect can be used to enable authentication and authorization for Kubernetes and minimize password security risks.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Configuring UAA to Provide a Single Entry Point for Kubernetes and Cloud Foundry | Altoros\" \/>\n<meta property=\"og:description\" content=\"The need to unify authentication\/authorization Kubernetes is gaining in popularity in the Cloud Foundry ecosystem as developers explore hybrid deployment options. This trend brings up a new problem where multiple credentials are needed to sign on to the different platforms. Cloud Foundry makes use of its identity management service\u2014User Account and Authentication [...]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/\" \/>\n<meta property=\"og:site_name\" content=\"Altoros\" \/>\n<meta property=\"article:published_time\" content=\"2018-05-03T17:24:39+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-04-08T18:05:02+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA.gif\" \/>\n\t<meta property=\"og:image:width\" content=\"640\" \/>\n\t<meta property=\"og:image:height\" content=\"360\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/gif\" \/>\n<meta name=\"author\" content=\"Andrei Krasnitski\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Andrei Krasnitski\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/\",\"url\":\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/\",\"name\":\"Configuring UAA to Provide a Single Entry Point for Kubernetes and Cloud Foundry | Altoros\",\"isPartOf\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA.gif\",\"datePublished\":\"2018-05-03T17:24:39+00:00\",\"dateModified\":\"2019-04-08T18:05:02+00:00\",\"author\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/6892b9fdca5c24cb7b47ac7b077382db\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#primaryimage\",\"url\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA.gif\",\"contentUrl\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA.gif\",\"width\":640,\"height\":360},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.altoros.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Configuring UAA to Provide a Single Entry Point for Kubernetes and Cloud Foundry\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.altoros.com\/blog\/#website\",\"url\":\"https:\/\/www.altoros.com\/blog\/\",\"name\":\"Altoros\",\"description\":\"Insight\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.altoros.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/6892b9fdca5c24cb7b47ac7b077382db\",\"name\":\"Andrei Krasnitski\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/02\/andrei-krasnitski-150x150.jpg\",\"contentUrl\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/02\/andrei-krasnitski-150x150.jpg\",\"caption\":\"Andrei Krasnitski\"},\"description\":\"Andrei Krasnitski is a Cloud Foundry Engineer at Altoros. He has 5+ years of experience in cloud infrastructures and platforms automation, enterprise-level service integrations, and cloud environment troubleshooting. Andrei is building and supporting Cloud Foundry environments for Altoros\u2019s enterprise customers.\",\"url\":\"https:\/\/www.altoros.com\/blog\/author\/andrei-krasnitski\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Configuring UAA to Provide a Single Entry Point for Kubernetes and Cloud Foundry | Altoros","description":"A part of the UAA service, OpenID Connect can be used to enable authentication and authorization for Kubernetes and minimize password security risks.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/","og_locale":"en_US","og_type":"article","og_title":"Configuring UAA to Provide a Single Entry Point for Kubernetes and Cloud Foundry | Altoros","og_description":"The need to unify authentication\/authorization Kubernetes is gaining in popularity in the Cloud Foundry ecosystem as developers explore hybrid deployment options. This trend brings up a new problem where multiple credentials are needed to sign on to the different platforms. Cloud Foundry makes use of its identity management service\u2014User Account and Authentication [...]","og_url":"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/","og_site_name":"Altoros","article_published_time":"2018-05-03T17:24:39+00:00","article_modified_time":"2019-04-08T18:05:02+00:00","og_image":[{"width":640,"height":360,"url":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA.gif","type":"image\/gif"}],"author":"Andrei Krasnitski","twitter_misc":{"Written by":"Andrei Krasnitski","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/","url":"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/","name":"Configuring UAA to Provide a Single Entry Point for Kubernetes and Cloud Foundry | Altoros","isPartOf":{"@id":"https:\/\/www.altoros.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#primaryimage"},"image":{"@id":"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#primaryimage"},"thumbnailUrl":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA.gif","datePublished":"2018-05-03T17:24:39+00:00","dateModified":"2019-04-08T18:05:02+00:00","author":{"@id":"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/6892b9fdca5c24cb7b47ac7b077382db"},"breadcrumb":{"@id":"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#primaryimage","url":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA.gif","contentUrl":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/05\/CF-Summit-2018-Boston-Kubernetes-UAA.gif","width":640,"height":360},{"@type":"BreadcrumbList","@id":"https:\/\/www.altoros.com\/blog\/configuring-uaa-to-provide-a-single-entry-point-for-kubernetes-and-cloud-foundry\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.altoros.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Configuring UAA to Provide a Single Entry Point for Kubernetes and Cloud Foundry"}]},{"@type":"WebSite","@id":"https:\/\/www.altoros.com\/blog\/#website","url":"https:\/\/www.altoros.com\/blog\/","name":"Altoros","description":"Insight","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.altoros.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/6892b9fdca5c24cb7b47ac7b077382db","name":"Andrei Krasnitski","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/02\/andrei-krasnitski-150x150.jpg","contentUrl":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2018\/02\/andrei-krasnitski-150x150.jpg","caption":"Andrei Krasnitski"},"description":"Andrei Krasnitski is a Cloud Foundry Engineer at Altoros. He has 5+ years of experience in cloud infrastructures and platforms automation, enterprise-level service integrations, and cloud environment troubleshooting. Andrei is building and supporting Cloud Foundry environments for Altoros\u2019s enterprise customers.","url":"https:\/\/www.altoros.com\/blog\/author\/andrei-krasnitski\/"}]}},"_links":{"self":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts\/32801","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/users\/130"}],"replies":[{"embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/comments?post=32801"}],"version-history":[{"count":70,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts\/32801\/revisions"}],"predecessor-version":[{"id":42340,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts\/32801\/revisions\/42340"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/media\/32882"}],"wp:attachment":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/media?parent=32801"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/categories?post=32801"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/tags?post=32801"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}