Authentication and Access Control

The communication between the K8s cluster and AppViewX KUBE+ takes place through a REST API, and it is authenticated. AppViewX provides several authentication modes to access its API.

Authentication

  • Basic Authentication: AppViewX offers multiple modes of authentication for accessing its API. Users can create a dedicated user for authentication, either an external user (LDAP, RADIUS and TACACS) or an internal user created in AppViewX. For more information on Basic Authentication, refer to Platform User guide.

  • OAuth 2.0 (Service Account): Users have the option to create a service account that is enabled through AppViewX OAuth 2.0. They can then obtain the client ID and client secret from the service account, which can be used for authentication purposes. For more information on OAuth 2.0, refer to Platform User guide.

Access Control

Each role assigns a specific set of permissions relating to the modules that can be accessed and the tasks that can be performed in each AppViewX module. The roles can be assigned only to a user group. The user groups that are assigned with a role will automatically inherit all the associated permissions. User groups can be assigned with more than a role.

The Roles management of Inventory comprises some of the Out of the Box (OOB) roles available for KUBE+ features via cert-orchestrator. The OOB roles can be cloned, enabled, and disabled. It can not be updated or deleted. Administrators can also create custom roles. Custom roles can be updated, deleted, enabled, and disabled. Users can either use OOB roles (if match their needs) or custom roles to map to user groups. KUBE+ is enabled with a list of Out Of the Box roles to ease the process of defining access and role permissions for different personas accessing KUBE+.

KUBE-Application-User: For DevOps/Application users/CloudOps teams to perform Certificate Lifecycle Management for their applications (or) business units.

KUBE-PKI-Administrator: For Infosec and PKI teams to define and enforce PKI policies for their Kubernetes environments.

KUBE-cert-orchestrator: Role to be mapped to the service account or user used for deployment of Cert-Orchestrator for performing CLM operations on individual Kubernetes clusters.

As previously explained, when deploying Cert-Orchestrator within the Kubernetes cluster for access control, it's necessary to follow these steps:

  1. Create a user or service account and associate it with the User Group.
  2. Assign the KUBE-cert-orchestrator role to the User Group.
  3. Additionally, ensure that the super access resource is linked to the User Group

For detailed instructions to perform any actions on role, see Platform User Guide.