Leverage Federated Authentication from Kubernetes
Atlas Kubernetes Operator supports using federated authentication for your Atlas organization.
Note
You can't use Atlas Kubernetes Operator to set up an IdP. To set up an IdP, see Configure Database Deployment Authentication and Authorization.
Once you set up your IdP, you can manage the role mappings that authenticate users to use your IdP.
To configure federated authentication through the Atlas Kubernetes Operator, you must
specify and update the AtlasFederatedAuth Custom Resource.
When you create the AtlasFederatedAuth custom resource, Atlas Kubernetes Operator
uses the Federated Authentication API Resource to update
the organization configuration for the federation.
In the organization configuration, you specify federation settings
for your Atlas organization such as organization and role mappings.
Prerequisites
Before you can use Atlas Kubernetes Operator to configure federated authentication, you must have:
An existing identity provider (IdP) linked to Atlas. To learn how to link an IdP to Atlas, see Manage Identity Providers.
A secret with API keys that Atlas Kubernetes Operator can use to connect to Atlas. The API keys must have the
Organization Ownerrole.At least one role within an active Atlas organization or the projects in the organization.
Update an Organization Configuration
To configure federated authentication through the Atlas Kubernetes Operator,
update the organization configuration for your federation
by specifying the AtlasFederatedAuth Custom Resource.
The following example configures an AtlasFederatedAuth custom resource
that does the following:
Enables federated authentication for the organization linked to the specified secret.
Adds
my-org-domain.comas an approved domain.Enables domain restriction for the organization.
Disables debugging for SSO.
Grants the
Organization Memberrole to users after authenticating.Maps the
Organization Ownerrole for the organization and applies the role mapping to an IdP group namedorg-admin.Maps the
Organization Project CreatorandProject Ownerroles for a project in the organization nameddev-projectand applies the role mapping to an IdP group nameddev-team.
To learn more, see Parameters.
Note
The spec.roleMappings.roleAssignments parameter must include at least one organization role within the current organization or the projects in the organization.
Example:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasFederatedAuth metadata: name: atlas-default-federated-auth namespace: mongodb-atlas-system spec: enabled: true connectionSecretRef: name: my-org-secret namespace: mongodb-atlas-system domainAllowList: - my-org-domain.com domainRestrictionEnabled: true ssoDebugEnabled: false postAuthRoleGrants: - ORG_MEMBER roleMappings: - externalGroupName: org-admin roleAssignments: - role: ORG_OWNER - externalGroupName: dev-team roleAssignments: - role: ORG_GROUP_CREATOR - projectName: dev-project role: GROUP_OWNER EOF
To check on the status of the update process, run the following command:
kubectl get atlasfederatedauth -o yaml
Atlas Kubernetes Operator returns the custom resource and includes a status section that resembles the following example:
status: conditions: - type: Ready status: True - type: RolesReady status: True - type: UsersReady status: True
To learn about the available parameters for this resource,
see AtlasFederatedAuth Custom Resource.