Hi,Guys:
Currently, I have 1 master 1 follower outside of k8s. I can see the docs said must have 1 follower inside k8s, then we can use k8s authenticator. is it true? and possible to use outside followers as the k8s authenticator ? stuck here a long time.
hope anyone can help.
Hey @atomatnus -
We don’t officially document support for using a follower outside of Kubernetes for our authn-k8s integration, since our official recommendation is to deploy a follower internal to your cluster. I’m checking to see if someone can weigh in on the best practices for configuring DAP this way
The authn-k8s follower leverages the K8s API to use native properties of the platform to identify your apps running in K8s, and to do this it needs appropriate RBAC permissions to access what it needs from the K8s API. For reference, this page gives info on the ClusterRole that each K8s-deployed follower should have defined, and each page here describes the RoleBinding required in your application namespaces to enable the follower to verify your application identities and inject the certificates / tokens into your app environments.
I’ll keep you posted on what other info I can find.
@atomatnus I will add here that while @izgerij is 100% correct in it not being an officially documented feature, the seed-fetcher authentication does this by using external-to-cluster k8s authentication that you might be able to tweak to use if you must have the follower outside of the cluster (change refs from master to follower, use you service details instead of seed-fetcher’s).