{"id":18579286,"url":"https://github.com/jakolehm/liberty-bell","last_synced_at":"2026-04-13T17:04:02.446Z","repository":{"id":152098445,"uuid":"141710567","full_name":"jakolehm/liberty-bell","owner":"jakolehm","description":"Kubernetes Token Authenticator","archived":false,"fork":false,"pushed_at":"2018-07-22T15:10:54.000Z","size":22,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-05-12T20:05:23.760Z","etag":null,"topics":["github","gitlab","kubernetes","rbac"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jakolehm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-07-20T12:40:40.000Z","updated_at":"2018-07-22T15:07:48.000Z","dependencies_parsed_at":"2023-07-13T15:15:14.964Z","dependency_job_id":null,"html_url":"https://github.com/jakolehm/liberty-bell","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jakolehm%2Fliberty-bell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jakolehm%2Fliberty-bell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jakolehm%2Fliberty-bell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jakolehm%2Fliberty-bell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jakolehm","download_url":"https://codeload.github.com/jakolehm/liberty-bell/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254455604,"owners_count":22074015,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github","gitlab","kubernetes","rbac"],"created_at":"2024-11-06T23:39:52.879Z","updated_at":"2026-04-13T17:04:02.439Z","avatar_url":"https://github.com/jakolehm.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Liberty Bell - Kubernetes Token Authenticator\n\n![liberty-bell](https://bpsh2.hs.llnwd.net/e1/contenthub-cdn-origin/media/casinoeuro/casinoeuro_blog/liberty_bell_slot_600.jpg)\n\nLiberty Bell implements a [Kubernetes Webhook Token Authenticator](https://kubernetes.io/docs/admin/authentication/#webhook-token-authentication) for authenticating users using [GitHub](https://github.com) or [Gitlab](https://gitlab.com) Personal Access Tokens. Authenticator also configures groups of authenticated user appropriately. This allows cluster administrator to setup RBAC rules based on membership in groups.\n\n## Usage\n\nYou can deploy the `liberty-bell` using [the example DaemonSet manifest](https://github.com/jakolehm/liberty-bell/blob/master/manifests/daemonset.yml). It is recommended to run the authenticator on your Kubernetes master using host networking so that the apiserver can access the authenticator through the loopback interface.\n\n```\nkubectl create -f https://raw.githubusercontent.com/jakolehm/liberty-bell/master/manifests/daemonset.yml\n```\n\nNext, you need to configure Kubernetes apiserver to verify bearer token using `liberty-bell`. \n\nSee [Kubernetes](https://kubernetes.io/docs/admin/authentication/#webhook-token-authentication) documentation how to pass configuration for apiserver.\n\nIf you are using [Kontena Pharos](https://kontena.io/pharos), configuration can be passed via [cluster.yml](https://pharos.sh/docs/usage/#webhook-token-authentication)\n\n### Github Configuration\n\n```yaml\n---\nkind: Config\napiVersion: v1\nclusters:\n- name: liberty-bell\n  cluster:\n    server: http://localhost:9393/github\nusers:\n- name: kube-apiserver\n  user: {}\ncontexts:\n- name: webhook\n  context:\n    cluster: liberty-bell\n    user: kube-apiserver\ncurrent-context: webhook\n```\n\n#### Group Mapping\n\nKubernetes groups are constructed as `\u003corganization\u003e/\u003cteam\u003e`. For example if Github user belongs to `testers` team at `acme` organization then group name would be `acme/testers` in Kubernetes.\n\n\n### Gitlab Configuration\n\n```yaml\n---\nkind: Config\napiVersion: v1\nclusters:\n- name: liberty-bell\n  cluster:\n    server: http://localhost:9393/gitlab\nusers:\n- name: kube-apiserver\n  user: {}\ncontexts:\n- name: webhook\n  context:\n    cluster: liberty-bell\n    user: kube-apiserver\ncurrent-context: webhook\n```\n\n#### Group Mapping\n\nKubernetes groups are constructed as `\u003cgroup\u003e/\u003csubgroup\u003e`.\n\n## Using with RBAC\n\n### Grant permissions for a user\n\n```\nkubectl create namespace project1\nkubectl create rolebinding johndoe-admin-binding --clusterrole=clusteradmin --user=johndoe --namespace=project1\n```\n\n### Grant permissions for a group\n\n```\nkubectl create namespace project1\nkubectl create rolebinding testers-admin-binding --clusterrole=clusteradmin --group=acme/testers --namespace=project1\n```\n\n## Contributing\n\nBug reports and pull requests are welcome on GitHub at https://github.com/jakolehm/liberty-bell\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjakolehm%2Fliberty-bell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjakolehm%2Fliberty-bell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjakolehm%2Fliberty-bell/lists"}