UI Authentication

This page describes how authentication works for the TrilioVault for Kubernetes UI

TVK UI supports authentication through client certificates via kubeconfig files. As a result any user of the Kubernetes cluster can log into the UI, view information and perform operations based on their permissions and authorization as per their RBAC.

TrilioVault for Kubernetes Login Screen

Trilio aims to keep the UI completely stateless where each Kubernetes user is able to configure their specific UI experience based on the specific clusters (installed with TVK) they have access to.

Since Trilio supports both namespace installation and cluster scope installation, understanding the resulting user experience becomes important.

Scenario 1

  1. TVK is installed at a cluster scope level

  2. User A has access to namespace 1, 2 and 3

  3. User B has access to namespace 2 and 3

  4. No specific RBAC has been set on the Trilio CRDs

User A and User B will only see the namespaces that they have access to when they login to the UI respectively. Both users will be able to perform TrilioVault actions without any restrictions

Scenario 2

  1. TVK is installed at a namespace level scope within Namespace 1

  2. User A has access to namespace 1, 2 and 3

  3. User B has access to namespace 2 and 3

  4. No specific RBAC has been set on the Trilio CRDs

User A will only see namespace 1 when logged into the UI. Namespace 1 will show as a single namespace cluster within the UI. User B will not see any clusters (or namespaces) within the UI (blank UI) when they log in.

Minimal ClusterRole for UI Access

Requirements for accessing the TVK console for cluster and namespace installs.

Cluster Install

The following ClusterRole shows the minimal configuration required to access the TVK management console.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: svcs-role
rules:
- apiGroups: ["triliovault.trilio.io"]
resources: ["*"]
verbs: ["get", "list"]
- apiGroups: ["triliovault.trilio.io"]
resources: ["policies"]
verbs: ["create"]

Namespace Install

If TVK has been installed at a Namespace level, then a minimum of read access over the namespace is required to access the management console.