feat: authentication and K8s RBAC-based authorization#214
Merged
nadaverell merged 2 commits intomainfrom Mar 29, 2026
Merged
Conversation
4477e62 to
cde6897
Compare
9ddc9ac to
3b7a2a9
Compare
1a4c109 to
e0953b0
Compare
…fixes Adds opt-in auth support for in-cluster radar deployments: - **Proxy mode**: trusted header injection (X-Remote-User / X-Remote-Group) from an upstream auth proxy (OAuth2 Proxy, Pomerium, Cloudflare Access, etc.) - **OIDC mode**: native OIDC/SSO login flow with Dex, Okta, GitHub, Google, etc. - Session cookies (HMAC-signed) so subsequent requests don't repeat header/token checks - K8s RBAC impersonation: all cluster operations run as the authenticated user, respecting existing ClusterRole/RoleBinding rules - Namespace filtering: non-admin users only see namespaces they have access to - Helm visibility: auto-grants secrets read RBAC so release history is visible - Auth middleware with exempt paths (health, static assets) and soft-auth paths - Full test coverage: middleware unit tests + integration tests for all auth paths - Helm chart updates: auth env vars, RBAC ClusterRole for impersonation, deployment template for secret/configmap auth config mounts - Documentation: docs/authentication.md with setup guide for all supported modes Three fixes for topology graph shuffling observed in active clusters: - **Position preservation**: after initial ELK layout, node positions are saved in a ref. Subsequent topology updates (new pods, status changes) preserve existing node positions — only newly-added nodes get ELK-computed positions. User-dragged positions are also preserved. Retry Layout button still forces a full fresh layout. - **fitView on background updates**: ViewportController no longer calls fitView on every structural topology change. fitView only runs when nodes first appear, when view mode switches, or on explicit retry — not on every incremental SSE update. - **Pause live updates button**: new control in the topology toolbar lets users freeze the graph snapshot while exploring. SSE connection stays live; updates are buffered and applied instantly on resume. Auto-unpauses on context switch.
e0953b0 to
78ededb
Compare
…security - Fix handleWorkloadRevisions to use impersonated client (RBAC bypass) - Validate --auth-mode flag at startup to catch typos that silently disable auth - Log tampered/expired cookies for security monitoring - Fix Secure cookie flag in proxy mode to use X-Forwarded-Proto - Move AuditLog before client nil check in argo/flux handlers so failed ops are logged - Handle json.Marshal error in CreateSessionCookie with log.Fatalf - Add tests for ImpersonatedConfig correctness and base config immutability
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #99
Summary
Adds optional authentication and RBAC-based authorization to Radar, allowing teams running it in shared environments (e.g., in-cluster) to control who can access the UI and what they can do.
Three auth modes:
none(default) — no change from current behaviorproxy— trustX-Forwarded-User/X-Forwarded-Groupsheaders from an upstream reverse proxy (oauth2-proxy, nginx, etc.)oidc— full OpenID Connect login flow with session cookiesRBAC-aware authorization: when auth is enabled, write operations (restart, scale, rollback, delete, GitOps sync/suspend, etc.) are executed via K8s impersonation so the user's own RBAC permissions apply. Read endpoints filter namespaces to only those the user can access, discovered via
SubjectAccessReview.Topology stability: fixes the topology graph viewport jumping every ~3 seconds in active clusters. The ELK layout engine was triggering
fitViewon every background update; nowfitViewonly runs on intentional actions (initial load, view mode change, explicit re-layout). Node positions are preserved across incremental updates. Adds a pause live updates button to the topology controls.Key files
pkg/auth/— reusable cookie signing, impersonation helpers, permission cache, RBAC namespace discoveryinternal/auth/— HTTP middleware (proxy/OIDC), audit logginginternal/k8s/impersonate.go— wires auth into K8s clientsinternal/server/server.go— middleware mounting,parseNamespacesForUser,getDynamicClientForRequestpackages/k8s-ui/src/components/topology/TopologyGraph.tsx— viewport stability + pause buttonweb/src/components/UserMenu.tsx— user identity display when auth is enabledReview fixes applied
handleWorkloadRevisionswas using the shared cluster client (RBAC bypass) — now uses impersonated client--auth-modeflag validated at startup to catch typos that would silently disable authSecurecookie flag usesX-Forwarded-Protoinstead of being hardcodedfalseAuditLogmoved before client nil check in Argo/Flux handlers so failed attempts are recordedImpersonatedConfigfield correctness and base config immutability