{"id":14384152,"url":"https://github.com/oursky/kubernetes-github-authn","last_synced_at":"2026-02-07T00:44:01.873Z","repository":{"id":54034165,"uuid":"87375102","full_name":"oursky/kubernetes-github-authn","owner":"oursky","description":"GitHub token authentication for Kubernetes","archived":false,"fork":false,"pushed_at":"2020-09-01T12:10:17.000Z","size":14,"stargazers_count":164,"open_issues_count":0,"forks_count":44,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-08-23T19:35:17.062Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oursky.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-04-06T02:01:54.000Z","updated_at":"2025-04-27T12:09:43.000Z","dependencies_parsed_at":"2022-08-13T06:10:44.223Z","dependency_job_id":null,"html_url":"https://github.com/oursky/kubernetes-github-authn","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/oursky/kubernetes-github-authn","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oursky%2Fkubernetes-github-authn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oursky%2Fkubernetes-github-authn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oursky%2Fkubernetes-github-authn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oursky%2Fkubernetes-github-authn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oursky","download_url":"https://codeload.github.com/oursky/kubernetes-github-authn/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oursky%2Fkubernetes-github-authn/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29182605,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-06T23:15:33.022Z","status":"ssl_error","status_checked_at":"2026-02-06T23:15:09.128Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-28T18:01:10.166Z","updated_at":"2026-02-07T00:44:01.852Z","avatar_url":"https://github.com/oursky.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# Kubernetes Webhook Token Authenticator for GitHub\n\nThis project implements a Kubernetes [Webhook Token\nAuthenticator](https://kubernetes.io/docs/admin/authentication/#webhook-token-authentication)\nfor authenticating users using GitHub Personal Access Token.\n\nWhen user\ntries to authenticate to the Kubernetes API, the Kubernetes apiserver\ncalls this authenticator to verify the bearer token. This authenticator checks\nif the access token is valid using GitHub API and returns the GitHub username\nto apiserver.\n\nYou should configure Kubernetes apiserver with an [authorization\nplugin](https://kubernetes.io/docs/admin/authorization/) to control what\nKubernetes resources can a user access.\n\n## How to use\n\nFirst of all, you need to run the authenticator using the example [DaemonSet\nmanifest](manifests/github-authn.yaml). It is recommended to run the\nauthenticator on your Kubernetes master using host networking so that the\napiserver can access the authenticator through the loopback interface.\n\n```\nkubectl create -f https://raw.githubusercontent.com/oursky/kubernetes-github-authn/master/manifests/github-authn.yaml\n```\n\nConfirm that the authenticator is running:\n\n```\nkubectl get ds -l k8s-app=github-authn -n kube-system\n```\n\nNext, configure apiserver to verify bearer token using this authenticator.\nThere are two configuration options you need to set:\n\n* `--authentication-token-webhook-config-file` a kubeconfig file describing how to\n  access the remote webhook service.\n* `--authentication-token-webhook-cache-ttl` how long to cache authentication\n  decisions. Defaults to two minutes.\n\nCheck the [example config file](manifests/token-webhook-config.json) and save\nthis file in the Kubernetes master. Set the path to this config file\nwith configurion option above.\n\nIt is recommended you read the [Kubernetes\ndocumentation](https://kubernetes.io/docs/admin/authentication/#webhook-token-authentication) for how to configure\nwebhook token authentication.\n\n## Authorization with role-based access control (RBAC)\n\nKubernetes support multiple [authorization\nplugins](https://kubernetes.io/docs/admin/authorization) and we recommend\nyou choose role-based access control (RBAC) because permission settings can be\nset using the Kubernetes API. Permission is granted on which roles that the\nauthenticated user has.\n\nSuppose that we have a user called `johndoe` and this user has administrative\naccess to the project `project1`. First of all, we need to define a new role\ncalled `admin` which can control all resources.\n\n```\nkubectl create -f https://raw.githubusercontent.com/oursky/kubernetes-github-authn/master/manifests/admin-cluster-role.yaml\n```\n\nWe need to assign `johndoe` to this `admin` role so that he has control to\nall the resources in the namespace `project1`.\n\n```\nkubectl create namespace project1\nkubectl create rolebinding johndoe-admin-binding --clusterrole=admin --user=johndoe --namespace=project1\n```\n\nIf we want to assign `johndoe` to the `admin` role in all namespaces instead of\njust the `project1` namespace, create a `ClusterRoleBinding` instead of\na `RoleBinding`:\n\n```\nkubectl create clusterrolebinding johndoe-admin-binding --clusterrole=admin --user=johndoe\n```\n\nRead the [Kubernetes\ndocumentation](https://kubernetes.io/docs/admin/authorization/rbac/) to learn\nmore about how to configure your apiserver to use RBAC.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foursky%2Fkubernetes-github-authn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foursky%2Fkubernetes-github-authn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foursky%2Fkubernetes-github-authn/lists"}