Traefik forward-auth middleware to impersonate kubernetes user/service accounts for authenticated users.
WARNING this is currently in POC phase, so expect things to break or not work at all as you'd expect
Conceptually, this is a simple HTTP server that runs on port 8000 by default and processes user ids via HTTP headers.
The end purpose is to serve as an enrichement middleware chained after thomseddon/traefik-forward-auth, mapping X-Forwarded-User users to configured impersonations, by sending a (pre-configured, pod-mounted) impersonator bearer token with Authentication: Bearer <token> and impersonated account name with Impersonate-User in the response HTTP headers.
Please refer to this file for configuration guidelines.
Please note: This is a WIP project and I have zero knowledge in go, being these my very first lines of code in this language. Feel free to share suggestions or contribute with improvements/some refactoring. 🛠
Launch with:
./main --config=test/test_config.yaml
Test user impersonation with:
curl -i http://localhost:8080 -H 'X-Forwarded-User: [email protected]'
go build main.go# multi-platform build with buildx
docker buildx build \
--platform=linux/amd64,linux/arm/v5,linux/arm/v6,linux/arm/v7,linux/arm64 \
--output "type=image,push=false" \
-t sykkro/bearer-auth:latest .