infra

command module

v0.10.0 Latest Latest Go to latest Published: Apr 7, 2022 License: Apache-2.0 Imports: 5 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/infrahq/infra

Links

Open Source Insights

README ¶

We take security very seriously. If you believe you have found a security issue please report it to our security team by contacting us at security@infrahq.com.

Introduction

Infra is identity and access management for your cloud infrastructure. It puts the power of fine-grained access to infrastructure like Kubernetes in your hands via existing identity providers such as Okta, Google Accounts, Azure Active Directory and more.

Features:

Single-command access: infra login
No more out-of-sync user configurations
Fine-grained role assignment
Onboard and offboard users via Okta (Active Directory, Google, GitHub coming soon)
Audit logs for who did what, when (coming soon)

infra architecture

Quickstart

Prerequisites:

Install Helm (v3+)
Install Kubernetes (v1.14+)

1. Self-Host Infra

helm repo add infrahq https://helm.infrahq.com/
helm repo update
helm install infra infrahq/infra

2. Install Infra CLI

macOS

brew install infrahq/tap/infra
brew link infrahq/tap/infra

Windows

scoop bucket add infrahq https://github.com/infrahq/scoop.git
scoop install infra

Linux

# Ubuntu & Debian
echo 'deb [trusted=yes] https://apt.fury.io/infrahq/ /' | sudo tee /etc/apt/sources.list.d/infrahq.list
sudo apt update
sudo apt install infra

# Fedora & Red Hat Enterprise Linux
sudo dnf config-manager --add-repo https://yum.fury.io/infrahq/
sudo dnf install infra

infra login localhost

This will output the Infra Access Key which you will use to login in cases of emergency recovery. Please store this in a safe place as you will not see this again.

Find the login URL if not using localhost

LoadBalancer

kubectl patch service infra-server -p '{"spec": {"type": "LoadBalancer"}}'

Note: It may take a few minutes for the LoadBalancer endpoint to be assigned. You can watch the status of the service with:

kubectl get service infra-server -w

Once the endpoint is ready, get the Infra API server URL.

kubectl get service infra-server -o jsonpath="{.status.loadBalancer.ingress[*]['ip', 'hostname']}"

Ingress

kubectl get ingress infra-server -o jsonpath="{.status.loadBalancer.ingress[*]['ip', 'hostname']}"

4. Connect the first Kubernetes cluster

This connects the first Kubernetes cluster to the self-hosted Infra. You can connect the same Kubernetes cluster that Infra is self-hosted on.

infra destinations add kubernetes.example-name

Run the output helm command on the Kubernetes cluster you want to connect to Infra.

5. Create the first local user

infra id add name@example.com

This creates a one-time password for the created user.

6. Grant Infra administrator privileges to the first user

infra grants add --user name@example.com --role admin infra

7. Grant Kubernetes cluster administrator privileges to the first user

infra grants add --user name@example.com --role cluster-admin kubernetes.example-name

Supported roles/cluster roles

Infra supports cluster roles and roles within your Kubernetes environment including custom ones. For simplicity, you can use cluster roles, and scope it to a particular namespace via Infra.

Example applying a cluster role to a namespace:

infra grants add --user name@example.com --role edit kubernetes.example-name.namespace

Default available Cluster roles within Kubernetes:

cluster-admin

Allows super-user access to perform any action on any resource. When 'cluster-admin' role is granted without specifying a namespace, it gives full control over every resource in the cluster and in all namespaces. When it is granted with a specified namespace, it gives full control over every resource in the namespace, including the namespace itself.
admin

Allows admin access, intended to be granted within a namespace. The admin role allows read/write access to most resources in the specified namespace, including the ability to create roles and role bindings within the namespace. This role does not allow write access to resource quota or to the namespace itself. This role also does not allow write access to Endpoints in clusters created using Kubernetes v1.22+.
edit

Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. This role also does not allow write access to Endpoints in clusters created using Kubernetes v1.22+.
view

Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).

infra login

Select the Infra instance, and login with username / password

9. Use your Kubernetes clusters

You can now access the connected Kubernetes clusters via your favorite tools directly. Infra in the background automatically synchronizes your Kubernetes configuration file (kubeconfig).

Alternatively, you can switch Kubernetes contexts by using the infra use command:

infra use kubernetes.example-name

Here are some other commands to get you started

See the cluster(s) you have access to:

infra list

See the cluster(s) connected to Infra:

infra destinations list

See who has access to what via Infra:

infra grants list

Note: this requires the user to have either admin or view permissions to Infra. 

An example to grant the permission:
infra grants add --user name@example.com --role view infra

To share access with Infra, developers will need to install Infra CLI, and be provided the login URL. If using local users, please share the one-time password.

Security

We take security very seriously. If you have found a security vulnerability please disclose it privately to us by email via security@infrahq.com.

Documentation

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
api
internal
access
certs
claims
cmd
connector
docgen
generate
ginutil
kubernetes
logging Package logging provides a shared logger and log utilities to be used in all internal packages.	Package logging provides a shared logger and log utilities to be used in all internal packages.
openapigen
repeat
server
server/authn
server/data
server/models
tools/querylinter Module
metrics
pki
secrets
test module
testutil
docker
uid

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL