Add User Authentication and Group-Based Access Control

[marcportabellaclotet-mt]

Problem Statement

Radar currently lacks fine-grained user-based access control when exposed via container. This makes it difficult to safely share the service with larger teams or external users, as all users effectively have the same permissions.

It would be nice to have a way to authenticate users (e.g., via Basic Auth or OIDC) and restrict access to resources based on group membership, ensuring users can only see and act on what they are allowed.

Proposed Solution

• Add user authentication support (Basic Auth or OIDC).
• Map user groups to roles or permissions within Radar.
• Enforce these roles when users browse or perform actions.

This would allow secure sharing of Radar with multiple user types while keeping resource access properly restricted.

Alternatives Considered

• External authentication proxies: handle login but don’t integrate with Radar’s internal permissions.

Additional Context

• Enables sharing with larger or external audiences.
• Reduces risk of unauthorized access.

[nadaverell]

Thanks for the proposal! Considering how to implement this. Definitely important to make it more viable for shared in-cluster deployment.

[avisvard]

Thinking if we could have the user upload the kubeconfig(s) and we encrypt them using content of a jwt that only the user could get from authentication with a third party (Okta, Google, Entra etc) a solution could perhaps be achieved like that and then links would include some hash of the cluster name so that people could share links between them and still get to the correct cluster/page etc (basically deep link support?). Two issues that comes to mind is that all traffic would then emit from the hosted radar and different people might have different permissions for network access meaning that it would in that case be better if the radar module ran locally. Second issue, IIRC AKS at least allows to delegate the authentication to the cluster to Entra meaning that the token isn't inside the kubeconfig by would be injected via a MSFT tooling. This could prevent this design suggestion, at least for this configuration setup for AKS clusters.

[jollyekb]

I'm really looking forward to this Merge

[nadaverell]

I'm really looking forward to this Merge

Soon! Not well tested yet + waiting on some refactor.

[gorkemozlu]

looking forward to as well, will be testing once it's out.

[AndrewK0009]

We r w8ing...

[nadaverell]

I know 😭😭
I promise it's coming, KubeCon got my attention this week (come say hi if you're there 😊)

[teslawomir]

Really looking forward to this :)

[nadaverell]

Thanks everyone for the patience!
@teslawomir @AndrewK0009 @gorkemozlu @jollyekb @avisvard @marcportabellaclotet-mt
Please update to v1.3.0 and test - see new documentation for how to enable proxy mode, OIDC mode when installing in a cluster.
LMK if there are any issues.

This is working beautifully now on our clusters giving team access in a safe way via stable, always-available browser URLs with user-scoped permissions :D

[marcportabellaclotet-mt]

I give it a try, and seems to work very well. Great Work @nadaverell
Just a couple of minor things:

• Allow setting the oidc clientsecret from an exisiting k8s secret. If this is already the case, I could not find it in the docs.
• When you logout, due to sso, it relogins again
• Add support oidc backchannel logout, to ensure that when the sessions of the user are revoked at idp level, the user can not access to radar any more
  Out of the scope of this issue, but I was wondering if it would be possible to have like a global radar instance which is able to navigate through different clusters. Using the CLI version, you are able to switch context, so you can easily switch to different clusters. Using the webservice, you need to deploy a radar instance per cluster and you can not switch cluster from the same UI.

[nadaverell]

I give it a try, and seems to work very well. Great Work @nadaverell Just a couple of minor things:

• Allow setting the oidc clientsecret from an exisiting k8s secret. If this is already the case, I could not find it in the docs.
• When you logout, due to sso, it relogins again
• Add support oidc backchannel logout, to ensure that when the sessions of the user are revoked at idp level, the user can not access to radar any more
  Out of the scope of this issue, but I was wondering if it would be possible to have like a global radar instance which is able to navigate through different clusters. Using the CLI version, you are able to switch context, so you can easily switch to different clusters. Using the webservice, you need to deploy a radar instance per cluster and you can not switch cluster from the same UI.

Thanks!
Taking each of the suggestions into separate issues to track 🙏