Skip to content

Feature/k8s auth proxy#91

Open
shyam0904a wants to merge 3 commits intonetbirdio:mainfrom
shyam0904a:feature/k8s-auth-proxy
Open

Feature/k8s auth proxy#91
shyam0904a wants to merge 3 commits intonetbirdio:mainfrom
shyam0904a:feature/k8s-auth-proxy

Conversation

@shyam0904a
Copy link
Copy Markdown

@shyam0904a shyam0904a commented Dec 19, 2025
edited
Loading

Description

Add Kubernetes API Auth Proxy feature that provides identity-aware access to the Kubernetes API through NetBird.

New files:

  • cmd/auth-proxy/main.go: Auth proxy binary with embedded NetBird client
  • Dockerfile.auth-proxy: Multi-arch container build
  • helm/kubernetes-operator/templates/auth-proxy-*.yaml: Helm templates for deployment, RBAC, and secret

Configuration (values.yaml):

  • authProxy.enabled: Enable/disable the auth proxy
  • authProxy.setupKey: NetBird setup key for the proxy peer
  • authProxy.hostname: Peer hostname in NetBird network
  • authProxy.dnsDomain: NetBird DNS domain for TLS cert
  • authProxy.managementURL: NetBird management server URL

Requires: netbird with client/embed package support

shyam0904a and others added 3 commits December 19, 2025 23:37
@shyam0904a
feat: add Kubernetes API Auth Proxy with NetBird peer identity
1780e05 
This adds a Kubernetes API authentication proxy that:
- Embeds the NetBird client to join the mesh network
- Authenticates incoming requests using WhoIs peer identity lookup
- Maps NetBird user/groups to Kubernetes impersonation headers
- Provides identity-aware RBAC for kubectl access through NetBird

New files:
- cmd/auth-proxy/main.go: Auth proxy binary with embedded NetBird client
- Dockerfile.auth-proxy: Multi-arch container build
- helm/kubernetes-operator/templates/auth-proxy-*.yaml: Helm templates

Configuration (values.yaml):
- authProxy.enabled: Enable/disable the auth proxy
- authProxy.setupKey: NetBird setup key for the proxy peer
- authProxy.hostname: Peer hostname in NetBird network
- authProxy.dnsDomain: NetBird DNS domain for TLS cert generation
- authProxy.managementURL: NetBird management server URL

RBAC:
- ClusterRole with impersonate permissions for users, groups, serviceaccounts
- Dedicated ServiceAccount for the auth proxy

Requires: netbird with client/embed package support
@mohamed-essam @shyam0904a
Fix helm chart releaser multiple charts separate version (netbirdio#84)
07b440a
@mlsmaycon @shyam0904a
Update Dockerfile.kubectl (netbirdio#89)
acf7f61
@shyam0904a shyam0904a force-pushed the feature/k8s-auth-proxy branch from 5ed5a4f to acf7f61 Compare December 19, 2025 18:07
This was referenced Dec 19, 2025
Open
Open
@Wouter0100
Copy link
Copy Markdown

Wouter0100 commented Feb 25, 2026

This seems like a feature we'd love, love, love to use! Any idea when it might be merged & released?

@phillebaba
Copy link
Copy Markdown
Collaborator

phillebaba commented May 4, 2026

@shyam0904a thank you for the contribution, I am sorry that it has taken so long but we have had to focus on getting other issues fixed first. I think this feature would be very useful.

I am just considering if it is better to keep this in its own repository instead of in the operator. I am also looking at getting tighter integrations with Netbird to get more explicit support for Kubernetes clusters.

@shyam0904a
Copy link
Copy Markdown
Author

shyam0904a commented May 4, 2026

@shyam0904a thank you for the contribution, I am sorry that it has taken so long but we have had to focus on getting other issues fixed first. I think this feature would be very useful.

Would love to have this feature on netbird soon :)

I am just considering if it is better to keep this in its own repository instead of in the operator. I am also looking at getting tighter integrations with Netbird to get more explicit support for Kubernetes clusters.

sounds good, happy to sync on this and collaborate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@shyam0904a @Wouter0100 @phillebaba @mohamed-essam @mlsmaycon