Skip to content

Commit

Permalink
Remove user-guide changes from the PR
Browse files Browse the repository at this point in the history 
- There is some work going on to refactor those pages and so the changes
  will be added there instead
  • Loading branch information
@foot
foot committed Aug 22, 2023
1 parent 1a17325 commit 6dfc7db
Show file tree
Hide file tree
Showing 4 changed files with 4 additions and 70 deletions.
34 changes: 0 additions & 34 deletions website/docs/configuration/anonymous-access.mdx
View file

This file was deleted.

12 changes: 3 additions & 9 deletions website/docs/configuration/securing-access-to-the-dashboard.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,9 @@ title: Securing access to the dashboard
There are 2 supported methods for logging in to the dashboard:
- [Login via an OIDC provider](../oidc-access)
- [Login via a cluster user account](../emergency-user) (not recommended)
- [Anonymous access](../anonymous-access) (to work with other external auth solutions)

The recommended method is to integrate with an OIDC provider,
as this will let you control permissions for existing users and groups that have
already been configured to use OIDC.

It is also possible to use the Emergency Cluster User Account to login, if an OIDC provider is not available to use.

Finally its also possible to disable authentication completely and allow anonymous access to the dashboard.
Alone this is not recommended, but can be used in conjunction with other external auth solutions.

All methods work with standard Kubernetes RBAC.
already been configured to use OIDC. However, it is also possible to use the Emergency Cluster
User Account to login, if an OIDC provider is not available to use.
Both methods work with standard Kubernetes RBAC.
27 changes: 1 addition & 26 deletions website/docs/enterprise/getting-started/install-enterprise.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,12 +125,11 @@ kubectl apply -f entitlements.yaml

### Securing Access to the Dashboard

There are a few supported methods for logging in to the dashboard, that work with standard Kubernetes RBAC:
There are two supported methods for logging in to the dashboard, that work with standard Kubernetes RBAC:
- Login via an OIDC provider: recommended, as this will allow you to control permissions for existing users and groups that have
already been configured to use OIDC. OIDC decouples the need to manage user lists from the application, allowing it to be managed via
a central system designed for that purpose (i.e. the OIDC provider). OIDC also enables the creation of groups—either via your provider's own systems or by using a connector like [Dex](#configuring-oidc-with-dex-and-github).
- Login via a cluster user account: which is insecure, and which we only recommend for local and development environments or if you need to activate emergency access to a damaged cluster. However, it is an option if an OIDC provider is not available.
- Anonymous login: Disable authentication completely and allow anonymous access to the dashboard. Alone this is not recommended, but can be used in conjunction with other external auth solutions.

You may decide to give your engineering teams access to the WGE dashboard so they can view and manage their workloads. In this case, you will want to secure dashboard access and restrict who can interact with it. Weave GitOps Enterprise integrates with your OIDC provider and uses standard Kubernetes RBAC to give you fine-grained control of the dashboard users' permissions.

Expand Down Expand Up @@ -571,30 +570,6 @@ manually delete the Kubernetes Secret and any User Roles that were created on
the cluster.
:::

</TabItem>
<TabItem value="Anonymous access" label="Anonymous Access">

Alone, this is an **insecure** method of securing your dashboard.
If you decide to use anonymous access, you should be cautious about exposing the endpoint and consider
implementing additional authentication measures such as an auth proxy.

When creating the `HelmRelease` resource further down configure the `insecureNoAuthentication` like so:

```yaml
config:
auth:
insecureNoAuthentication:
enabled: true
user: "wego-admin"
```

The value of the `insecureNoAuthentication.user` is the kubernetes `User` to be impersonated to make requests into the cluster.
Setting this to `wego-admin` will impersonate the hard coded emergency user. Default ClusterRoleBindings and RoleBindings are created for this user.

When `insecureNoAuthentication` is enabled all other authentication methods (e.g. OIDC, emergency user) are disabled.

No login screen will be displayed when accessing the dashboard.

</TabItem>
</Tabs>

Expand Down
1 change: 0 additions & 1 deletion website/sidebars.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,6 @@
items: [
'configuration/oidc-access',
'configuration/emergency-user',
'configuration/anonymous-access',
],
},
'configuration/service-account-permissions',
Expand Down

0 comments on commit 6dfc7db

Please sign in to comment.