Advanced authentication

Introduction

As of today there are multiple layers that a user or system need to authenticate with in order to use STACKIT Edge Cloud (STEC). If you’re looking for a quick introduction how to authenticate and use the product take a look at the getting started guide. For a more detailed introduction on the different authentication layers this guide should cover you.

Platform authentication

The first time you login to the STACKIT portal you authenticate with the STACKIT platform using your personal login credentials. The STACKIT platform authentication is what enables you to create projects and, given the correct permissions within a project, to manage the products that belong to a project. On this layer you’ll have to create a project and order the STEC product, which gives you initial permissions (edge.admin) to manage your product using the STACKIT API / CLI. There’s always two ways to get a product role:

1. By assigning the product role to a account
2. By inheritance from other roles

The following table gives you an overview of the product specific permissions, the product roles that grant those permissions and the superior roles that inherit those roles — if not directly assigned — to a user.

Inherited by Role(s)	Resulting Product Role	Description	Permission(s)
Level Role(s) organization owner folder owner editor project owner editor	Edge Admin (edge.admin)	Has read & write access to resources within the edge domain. Can do anything a reader can do.	edge.instances.create edge.instances.update edge.instances.delete edge.instances.get edge.instances.list edge.plans.list
Level Role(s) organization owner folder owner editor reader project owner editor reader	Edge Reader (edge.reader)	Has read access to resources within the edge domain.	edge.instances.get edge.instances.list edge.plans.list

When a STEC role is assigned to a account at project level or above this means that the account will be able to use the role’s permissions to interact with any STEC instance part of the project. As of today there is no way to limit access permissions to a single STEC instance other than creating a separate STACKIT project.

If you want to access the STACKIT platform in a automated manner you may also create service accounts for non-human users to access and use the STACKIT platform based on their configured permissions.

When you use the STACKIT API, CLI or any developer tools you authenticate using your STACKIT platform credentials. You than can access the product specific APIs to further manage your STACKIT products.

Managing platform authentication is out of the scope of this guide. For further assistance on how to use it please follow the STACKIT getting started and STACKIT IAM guides. The following steps will require that you have a valid STACKIT login with sufficient permissions (edge.admin).

Product authentication

This layer represents a STACKIT product. How you authenticate and use your product is product specific. For STEC this means a supported Kubernetes authentication method has to be used because STEC itself is a cloud-native solution running on Kubernetes. When you interact with a STEC instance you’re doing so via the Kubernetes API. Therefore all permissions are implemented using standard Kubernetes RBAC. You’ll get a authentication token to access your product using the STACKIT API / CLI / UI. That token than can be used to authenticate with your instance using Kubernetes authentication. The same token can also be used to authenticate with the STEC Web-UI.

Please be aware that anyone with the edge.instances.create, edge.instances.update, edge.instances.delete permission(s) will be able to get authentication tokens for all instances of a STACKIT project. This means that anyone given the Edge Admin role on project level or above - or inheriting this role from other roles - can access any STEC instances of that project at any time. As of today there is no way to limit access permissions to a single STEC instance other than creating a separate STACKIT project.

When you request a authentication token it is bound to a specific role in Kubernetes. It is crucial to understand which roles exist and what kind of permissions they grant. As of today only one role, called edge-admin, exists. The following table provides an overview of the verbs on each STEC resource that will be assigned to a token if the specific role is assigned to it.

Resource/Role	edge-admin
EdgeCluster	get, list, watch, create, update, patch, delete, deleteCollection
EdgeHost	get, list, watch, delete, deleteCollection
EdgeImage	get, list, watch, create, update, patch, delete, deleteCollection
EdgeMachine	get, list, watch
Secrets (default namespace only)	get, list, watch

Managed system authentication

In the case of STACKIT Edge Cloud there is a third layer of authentication. STACKIT Edge Cloud enables you to use your own hardware in remote locations to install and manage Kubernetes from the STACKIT Cloud. When you install a new host and add it to your STACKIT Edge Cloud fleet it becomes a centrally managed system that, when applying it’s initial configuration, becomes a managed (Kubernetes) cluster. You’ll get a initial set of credentials in form of a kubeconfig and a talosconfig. Both use mTLS to authenticate you in a secure way with your managed system and grant you with extensive permissions on that system. You may want to use alternative authentication methods to authenticate yourself and/or others with your Kubernetes cluster or restrict the authorization and you’re free to do so. STEC gives you the freedom of choice when it comes to how you want to use your managed systems (hosts / clusters). You can customize the authentication and authorization of them as needed.