Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Knative Backstage security blogpost #6126

Merged
merged 3 commits into from
Sep 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions blog/config/nav.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ nav:
- releases/announcing-knative-v0-3-release.md
- releases/announcing-knative-v0-2-release.md
- Articles:
- articles/knative-backstage-security.md
- articles/Knative-Serving-WebSockets.md
- articles/Building-Stateful-applications-with-Knative-and-Restate.md
- articles/llm-agents-demo.md
Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 0 additions & 2 deletions blog/docs/articles/knative-backstage-plugins.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,6 @@

While Backstage is not designed as a next generation Kubernetes Dashboard, it can visualize and partially manage Knative resources. These resources would be read-only and focused on what's relevant to developers.

resources that are relevant to the developer persona.

## Plugins and backends

The plugins are the frontend part of the Backstage plugin. They are responsible for rendering the UI and communicating with the backend. The backend is responsible for talking to the Kubernetes API server and providing the necessary information to the frontend. Currently, we only have one plugin and it requires a backend to work. We think that most of the plugins we might provide in the future will require a backend-for-frontend to work.
Expand Down
62 changes: 62 additions & 0 deletions blog/docs/articles/knative-backstage-security.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
# Knative Backstage Security

**Author: Ali Ok, Principal Software Engineer @ Red Hat**

## What's new?

In a previous [blog post](../knative-backstage-plugins/), we talked about how to integrate Knative with Backstage. In this blog post, we will talk about how to secure the communication between the Knative Event Mesh plugin and the backend.

Previously, the backend was running with a service account that had full access to the Kubernetes cluster. This was not secure, as the backend could access any resource in the cluster. Also, the backend didn't have any authentication mechanism, so anyone who could access the backend could access the Kubernetes resources, although they were only read-only.

To solve these issues, we have done 2 things:

1. The backend now uses a service account with limited permissions.
2. The backend now requires a token to authenticate (passing it along to the API server), for each request coming from the plugin.

## How it works?

![](/blog/articles/images/knative-backstage-security-01.png)
*Backstage Security*
[//]: # (https://drive.google.com/file/d/1qMu0yd-zGYcveUM_tLigw1yZ_0jksX9i/view?usp=drive_link)

Similar to other Backstage plugins, we wanted the plugin administrator to configure the plugin by setting up the necessary things like the backend URL and the token. It is a similar approach with the [Backstage Kubernetes plugin](https://backstage.io/docs/features/kubernetes/configuration#configuring-kubernetes-clusters), where the user needs to provide the URL and the token.

The token is stored in Backstage configuration and is passed to the backend with each request. The backend uses this token to authenticate to the Kubernetes API server. The token is a service account token that has the necessary permissions to list the Knative Eventing resources in the cluster.

```yaml
...
catalog:
providers:
knativeEventMesh:
dev:
token: '${KNATIVE_EVENT_MESH_TOKEN}'
baseUrl: "http://eventmesh-backend.knative-eventing.svc:8080"
schedule: # optional; same options as in TaskScheduleDefinition
# supports cron, ISO duration, "human duration" as used in code
frequency: { minutes: 1 }
# supports ISO duration, "human duration" as used in code
timeout: { minutes: 1 }
```

The `token` is taken from the `KNATIVE_EVENT_MESH_TOKEN` environment variable. Backstage supports environment variables in the configuration files, so you can set the token as an environment variable before starting the Backstage instance. Actually, Backstage has other mechanisms, including configuration files, file includes and others. You can check the [Backstage documentation](https://backstage.io/docs/conf/writing/){:target="_blank"} for more information.

How to create the `ServiceAccount`, `ClusterRole`, `ClusterRoleBinding`, `Secret` and the token for that `Secret` is documented in the [plugin's readme file](https://github.com/knative-extensions/backstage-plugins/blob/main/backstage/plugins/knative-event-mesh-backend/README.md).

## Demo and quick start

If you would like to see the plugin in action, you can [install](https://github.com/knative-extensions/backstage-plugins?tab=readme-ov-file#running-the-backstage-plugin){:target="_blank"} the backend in your Kubernetes cluster and the plugin in your Backstage instance.

However, for a quicker look at the plugin, you can check out the [demo video](https://www.youtube.com/watch?v=4h1j1v8KrY0){:target="_blank"}.
The demo video is recorded with the quick start available in Ali Ok's [demo repository](https://github.com/aliok/knative-backstage-demo){:target="_blank"}.

<iframe width="560" height="315" src="https://www.youtube.com/embed/4h1j1v8KrY0?si=tzUmjcrYOfCy6E1H" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>

## Contributions welcome

We are looking for contributors to help us improve the plugin and the backend. If you are interested in contributing, please check out the [README file](https://github.com/knative-extensions/backstage-plugins){:target="_blank"} of the plugins repository. How to start the backend, how to install the plugin, and how to modify the plugin are all documented there.

There are a few issues that are marked as good first issues and we are looking for help with them. If you are interested in contributing, please check out the [good first issues](https://github.com/knative-extensions/backstage-plugins/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22){:target="_blank"}.

## Contact

If you have any questions or feedback, please feel free to reach out to us. You can find us in the [CNCF Slack](https://communityinviter.com/apps/cloud-native/cncf){:target="_blank"} in the [#knative](https://cloud-native.slack.com/archives/C04LGHDR9K7){:target="_blank"} channel.
Loading