Skip to main content
Version: 1.11.0

Authorization

Since version 1.11.0 Epinio is shipped with a new authorization layer with two default roles: admin and user. Roles can be "namescoped", and they can be also customized with different permissions.

A user with the admin role will have the permission to perform any operation. A standard user will have only read permissions, but also has the permissions to create namespaces. When a user creates a namespace, they will automatically have the admin permission for it.

By default, after the installation two users are available: admin and epinio, both with the password password. The operator can control the creation of those users through the api.users key in values.yaml. In a production setup, the default api.users value needs to be overridden.

Switch user

To switch users you need to set the user and pass keys of the Epinio settings file, located at ~/.config/epinio/settings.yaml. The password has to be base64 encoded. Below, cGFzc3dvcmQ= is the base64 encoded version of password.

You can also login again with the epinio login [URL] command.

api: https://epinio.mydomain.com
appchart: ""
certs: |
-----BEGIN CERTIFICATE-----
MIICUTCCAfigAwIBAgIQXJq3y/ouo90Db7BWy34gbDAKBggqhkjOPQQDAjAUMRIw
****************************************************************
****************************************************************
****************************************************************
qCPZOyTsHKnjmj7zxg57+Kq2KLFT
-----END CERTIFICATE-----
colors: true
namespace: workspace
pass: cGFzc3dvcmQ=
user: epinio
wss: wss://epinio.mydomain.com

List the Epinio users

An Epinio user is a BasicAuth Kubernetes Secret, with the epinio.io/api-user-credentials reserved label.

The epinio.io/roles annotation is used to declare the list of the assigned roles. It's a comma separated string with the id of the roles. If a role is namespace-scoped the namespace where it applies appears after the : delimiter (i.e.: admin:workspace).

apiVersion: v1
kind: Secret
type: BasicAuth
metadata:
labels:
epinio.io/api-user-credentials: "true"
annotations:
epinio.io/roles: "user,admin:workspace"
name: my-epinio-user
namespace: epinio
stringData:
username: myuser
# password is hashed with the Bcrypt algorithm
password: "$2a$10$6bCi5NMstMK781In7JGiL.B44pgoplUb330FQvm6mVXMppbXBPiXS" # value is 'password'

To list the available users you can get the secrets from your cluster with kubectl, filtering them with the proper labels:

# list all the users
kubectl get secrets -n epinio -l 'epinio.io/api-user-credentials'
NAME TYPE DATA AGE
default-epinio-user BasicAuth 3 5m10s
admin-epinio-user BasicAuth 2 5m10s

Add a new user

Since a user is simply a Kubernetes Secret you can create a new user with a kubectl apply:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: BasicAuth
metadata:
labels:
epinio.io/api-user-credentials: "true"
epinio.io/roles: "admin"
name: my-epinio-user
namespace: epinio
stringData:
username: myuser
password: "\$2a\$10\$6bCi5NMstMK781In7JGiL.B44pgoplUb330FQvm6mVXMppbXBPiXS"
EOF

Roles

An Epinio role is a Kubernetes ConfigMap, with the epinio.io/role reserved label.

The following yaml shows you the default user role:

apiVersion: v1
kind: ConfigMap
metadata:
labels:
epinio.io/role: "true"
name: "epinio-user-role"
namespace: {{ $.Release.Namespace }}
data:
id: user
name: "Epinio User Role"
default: "true"
actions: |
namespace
app_read
configuration_read
service_read
gitconfig_read

Fields

KeyDescription
idThe ID of the Role
nameA friendly name for the Role
default(optional) if set to true the role will be the one selected as default if no other roles were assigned to the user
actionsThe actions the roles can perform

Actions

Each Role can perform some actions defined in the actions field (newline separated). These actions are hardcoded in Epinio, and some of them depend on other actions. Enabling an action with a dependency will automatically enable the dependency as well.

Namespace

These actions enable operations on Namespace commands and resources.

Action IDDescription
namespace_readRead permissions (list, show)
namespace_writeWrite permissions (create, delete)
Depends on: namespace_read
namespaceAll the above
Depends on: namespace_read, namespace_write

App

These actions enable operations on App commands and resources. They also enable commands related to AppCharts (epinio app chart) and application environment variables.

Action IDDescription
app_readRead permissions (app list and show, env list and show)
app_logsRead application logs
app_writeWrite permissions (app create, delete, push, export, stage, env set and unset)
Depends on: app_read, app_logs
app_execPerform an exec into a running application
app_portforwardOpen a tunnel with the port-forward command
appAll the above
Depends on: app_read, app_logs, app_write, app_exec, app_portforward

Configuration

These actions enable operations on Configuration commands and resources. Be aware that to bind a configuration you still need the app_write permission as well.

Action IDDescription
configuration_readRead permissions (list, show)
configuration_writeWrite permissions (create, delete)
Depends on: configuration_read
configurationAll the above
Depends on: configuration_read, configuration_write

Service

These actions enable operations on Service commands and resources.

Action IDDescription
service_readRead permissions (list, show)
service_writeWrite permissions (create, delete, bind, unbind)
Depends on: service_read
service_portforwardOpen a tunnel with the port-forward command
serviceAll the above
Depends on: service_read, service_write, service_portforward

Gitconfig

These actions enable operations on Gitconfig commands and resources.

Action IDDescription
gitconfig_readRead permissions (list, show)
gitconfig_writeWrite permissions (create, delete)
Depends on: gitconfig_read
gitconfigAll the above
Depends on: gitconfig_read, gitconfig_write

Export Registries

This action enable operations on Export Registries commands and resources. Only read operations are available.

Action IDDescription
export_registries_readRead permissions

Assign namespaces

The authorized user's namespaces are an additional namespaces field in the Secret data, separated by a newline \n.
To modify them edit just that field:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: BasicAuth
metadata:
labels:
epinio.io/api-user-credentials: "true"
epinio.io/roles: "user,admin:foobar"
name: my-epinio-user
namespace: epinio
stringData:
username: myuser
password: "\$2a\$10\$6bCi5NMstMK781In7JGiL.B44pgoplUb330FQvm6mVXMppbXBPiXS"
namespaces: |
workspace
workspace2
EOF