Security-Limiting-User-Access-to-your-KAN-Portal.md

Security: Limiting User Access to your KAN Portal

Once your KAN portal has been set up, it is accessible to anyone via the IP. In other words, it is open to users for whom access may not be intended. This can be a security and compliance loophole. To prevent unwanted users from accessing your portal, use one of the following approaches to limit access:

1. Limit portal access from Azure portal to certain IPs (if using Azure Kubernetes Service (AKS))

2. Limit external access using ingress rules

3. Limit external access altogether and use port-forwarding to access the portal on the spot locally

4. Create basic login/Pass authentication using ingress basic http authentication

5. Set up Azure API Management (APIM) and configure ingress to be only accessible via this APIM

Limit portal access from Azure portal to certain IPs

Note: This option is available only if you are using AKS.

1. When you’ve finished installing the KAN-controller, you can find the IP address (the first one) of the portal by running the following command in your Azure Cloud CLI command line:

  kubectl get svc -A 

2. Once you have the LoadBalancer IP address, open the resource group associated with your AKS cluster (not the AKS cluster itself).
3. In a separate tab, open the network security (NSG) resource.
4. For each line that references the LoadBalancer IP address:
   • Select the inbound security rule.
   • Change the source IP address range to the network you want to allow access to the portal. For example, your home or corporate IP address space in classless inter- domain routing (CIDR) notation.

Limit External Access Using Ingress Rules

Modify ingress resource “webmodule” that was automatically created during installation on your Kubernetes cluster with: Using nginx-ingress controller to restrict access by IP (ip whitelisting) for a service deployed to a Kubernetes (AKS) cluster . Make sure to apply your changes after modifying the YAML file.

Limit External Access Altogether & Use Port Forwarding

1. Delete the ingress object “webmodule” created during installation:

kubectl delete ingress webmodule 

2. Use Kubernetes port-forwarding to access the portal on the spot locally using the following command:

kubectl port-forward --address localhost service/webmodule <your-desired-port>:8000" 

This allows you to view the portal using:

localhost:<your-desired-port>

Note: Run this command on the system you would like to access the portal with. For example, if you want to use your computer to view the portal, you need to run the command on your computer.

With port-forwarding, admin access to the portal does not need to be granted to everyone. Instead, you can create a configuration file with restricted access. The following steps show you how to provide permission to update the config map (“mycm”) in a specific namespace (“myns”) to create a kubeconfig with restricted access.

1. Create the namespace if it doesn’t already exist. For this example, call the namespace myns.

kubectl create ns myns 

2. Create a service account in the myns namespace. For this example, call the service account cm-user. This command will also create a secret token.

kubectl create sa cm-user -n myns 

3. Use the following to get cm-user secrets. You need the token and ca.crt from the cm-user token. Make sure to Base64 decode the value of the token.

kubectl get sa cm-user -n myns 
kubectl get secrets -n myns 

4. Next, create a user using the decoded token:

kubectl config set-credentials cm-user --token=<decoded token value> 

5. Next, generate a kubeconfig file kubeconfig-cm:

apiVersion: v1 

kind: Config 

clusters: 

- cluster: 

    certificate-authority-data: <ca.crt value from cm-user-token-kv5j5 secret> 

    server: <kubernetes server> 

  name: <cluster> 

contexts: 

- context: 

    cluster:<cluster> 

    namespace: myns 

    user: cm-user 

  name: cm-user 

current-context: cm-user  

users: 

- name: cm-user 

  user: 

    token: <decoded token> 

6. Next, create a role and rolebinding for service account cm-user:

apiVersion: rbac.authorization.k8s.io/v1 

kind: Role 

metadata: 

  namespace: myns 

  name: cm-user-role 

rules: 

- apiGroups: [""] 

  resources: ["configmaps"] 

  verbs: ["update", "get", "list"] 

--- 

apiVersion: rbac.authorization.k8s.io/v1 

kind: RoleBinding 

metadata: 

  name: cm-user-rb 

  namespace: myns 

roleRef: 

  apiGroup: rbac.authorization.k8s.io 

  kind: Role 

  name: cm-user-role 

subjects: 

- namespace: myns 

  kind: ServiceAccount 

  name: cm-user 
---

You can now use this kubeconfig file to update your configmap mycm.

Refer to the following docs for more information:

• Use Port Forwarding to Access Applications in a Cluster

• Create kubeconfig with restricted permission - Stack Overflow

• Configure Access to Multiple Clusters

• Organizing Cluster Access Using kubeconfig Files

Create Basic Login/Pass Authentication Using Ingress Basic Http Authentication

For more information on how to add a basic-authentication secret to the ingress automatically created in your K8s environment called "webmodule", visit Basic Authentication.

1. Create htpasswd file

htpasswd -c auth foo 

2. Convert htpasswd into a secret

kubectl create secret generic basic-auth --from-file=auth 

3. Examine secret

kubectl get secret basic-auth -o yaml 

4. Modify your ingress and tie to the basic-auth secret then use kubectl to apply the changes

   Use curl to confirm authorization is required by the ingress

   curl -v http://10.2.29.4/ -H 'Host: foo.bar.com' 
   

   Use curl with the correct credentials to connect to the ingress

   curl -v http://10.2.29.4/ -H 'Host: foo.bar.com' -u 'foo:bar' 
   

Set Up and Manage Authentication with Azure API Management (APIM)

Install an API Management gateway and add your KAN endpoint as a backend target. APIM is integrated with other Azure services such as Azure Active Directory (AAD). The use of AAD as an identity provider will now be enabled for user sign in on the developer portal.

1. Create an Azure API Management Instance: Quickstart - Create an Azure API Management instance

2. Import and publish an API in the Azure API Management instance: Tutorial - Import and publish your first API in Azure API Management

3. Authentication and managing user accounts

   • How to manage user accounts in Azure API Management
   • Authorize access to API Management developer portal by using Azure AD - Azure API Management

For more information on authentication and authorization with Azure API Management, visit: Authentication and authorization - Overview - Azure API Management.

Deciding between access options

1. For a quick and simple option, try one of the following:
   • Limit portal access directly from the Azure portal to certain IPs (AKS only)
   • Limit external access using ingress rules
2. Use port forwarding if you want to allow multiple members to access the portal without providing admin access to everyone
3. Use Basic Authentication with NGINX Ingress Controller if you want to a user to create their own user/password and tie it to the ingress which controls access to the portal
4. Set up Azure API Management (APIM) if you want the most thorough security. You can use Azure Active Directory with this option. This is the most time-consuming option to set up and there is some cost associated with it

Next Steps

Now that you have secured your portal, we recommend completing the following tutorials:

• Tutorial: Create an Edge AI solution with KAN Portal using a prebuilt model
• How-to guide: Create a complex AI skill with KAN Portal AI Skill builder
• KAN: API overview
• How-to guide: Bring your own ML model and processing logic for your AI Skill using gRPC Custom Processing (BYOM)