Skip to content

red-hat-data-services/kube-auth-proxy

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2,224 Commits
.devcontainer
.devcontainer
 
 
.github
.github
 
 
.tekton
.tekton
 
 
.vscode
.vscode
 
 
contrib
contrib
 
 
docs
docs
 
 
examples
examples
 
 
pkg
pkg
 
 
providers
providers
 
 
static
static
 
 
testdata
testdata
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
ADOPTERS.md
ADOPTERS.md
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
DESIGN.md
DESIGN.md
 
 
Dockerfile
Dockerfile
 
 
Dockerfile.konflux
Dockerfile.konflux
 
 
Dockerfile.redhat
Dockerfile.redhat
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
OWNERS
OWNERS
 
 
OWNERS_ALIASES
OWNERS_ALIASES
 
 
README.md
README.md
 
 
RELEASE.md
RELEASE.md
 
 
SECURITY.md
SECURITY.md
 
 
VERSION
VERSION
 
 
dist.sh
dist.sh
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
main_suite_test.go
main_suite_test.go
 
 
main_test.go
main_test.go
 
 
oauthproxy.go
oauthproxy.go
 
 
oauthproxy_test.go
oauthproxy_test.go
 
 
validator.go
validator.go
 
 
validator_test.go
validator_test.go
 
 

Repository files navigation

kube-auth-proxy

MIT licensed

kube-auth-proxy is a focused, FIPS-compliant authentication proxy designed specifically for OpenShift Data Hub (ODH) and Red Hat OpenShift AI (RHOAI) environments. It provides secure authentication through both external OIDC providers and OpenShift's internal OAuth service, serving as a drop-in replacement for existing oauth-proxy sidecars for authentication purposes only.

This project is derived from oauth2-proxy but has been streamlined to support only the authentication methods required for enterprise Kubernetes environments, with a strong emphasis on FIPS compliance and compatibility with existing ODH/RHOAI deployments.

Key Features

  • OIDC Authentication: Support for any standards-compliant OIDC provider
  • OpenShift OAuth Integration: Native support for OpenShift's internal OAuth service
  • FIPS Compliance: Built with FIPS-compliant dependencies and compilation flags
  • Drop-in Compatibility: Designed to replace existing oauth-proxy sidecars for authentication without configuration changes
  • Envoy ext_authz Support: Compatible with Envoy's external authorization framework
  • Streamlined Codebase: Focused implementation with unnecessary providers removed

Architecture

kube-auth-proxy acts as a reverse proxy that intercepts requests to your applications and handles authentication through either:

  1. External OIDC Providers: Standard OIDC flow with configurable providers
  2. OpenShift OAuth: Integration with OpenShift's built-in authentication system

Once authenticated, the proxy forwards requests to upstream applications with appropriate headers containing user identity and authorization information.

Get Started

Installation

Container Images

⚠️ Container images are currently under development (TBD). Once available, kube-auth-proxy will be distributed as container images built for multiple architectures:

  • Standard Images: Based on distroless for minimal attack surface
  • FIPS Images: FIPS-compliant builds for enterprise environments
# Standard image (TBD)
# podman pull quay.io/opendatahub-io/kube-auth-proxy:latest

# FIPS-compliant image (TBD)
# podman pull quay.io/opendatahub-io/kube-auth-proxy:latest-fips

Binary Releases

Pre-compiled binaries are available for all major architectures on the releases page.

Configuration

kube-auth-proxy supports configuration through command-line arguments and environment variables. It maintains compatibility with oauth-proxy argument formats for seamless migration.

OIDC Provider Example

kube-auth-proxy \
  --provider=oidc \
  --oidc-issuer-url=https://your-oidc-provider.com \
  --client-id=your-client-id \
  --client-secret=your-client-secret \
  --upstream=http://your-app:8080 \
  --http-address=0.0.0.0:4180

OpenShift OAuth Example

kube-auth-proxy \
  --provider=openshift \
  --openshift-service-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
  --upstream=http://your-app:8080 \
  --http-address=0.0.0.0:4180

For detailed configuration options, see the Configuration Documentation.

Supported Providers

kube-auth-proxy supports the following authentication providers:

  • OIDC: Any standards-compliant OpenID Connect provider
  • OpenShift OAuth: OpenShift's built-in authentication system

All other authentication providers have been intentionally removed to maintain focus and reduce the attack surface.

FIPS Compliance

kube-auth-proxy is built with FIPS compliance as a primary requirement:

  • FIPS-compliant builds: Available through Dockerfile.redhat
  • Automated validation: CI/CD pipeline includes FIPS compliance checks using check-payload
  • Secure dependencies: Only FIPS-approved cryptographic libraries

Migration from oauth-proxy

kube-auth-proxy is designed as a drop-in replacement for oauth-proxy authentication in ODH/RHOAI environments:

  1. Argument Compatibility: Supports both oauth2-proxy and oauth-proxy argument formats
  2. Header Compatibility: Maintains the same upstream headers as oauth-proxy
  3. Behavior Compatibility: Preserves expected authentication flows and responses

Note: This proxy handles authentication (authn) only. It does not include RBAC or SubjectAccessReview (SAR) authorization capabilities.

Development

Building from Source

# Standard build
make build

# FIPS-compliant build
make build-fips

Running Tests

make test

Contributing

We welcome contributions! Please see our Contributing Guide for details on:

  • Code style and conventions
  • Testing requirements
  • Submission process

Security

If you believe you have found a security vulnerability, please do NOT open an issue or PR. Instead, report it privately by emailing the maintainers listed in the MAINTAINERS file.

For more details, see our Security Policy.

Repository History

2025-08-11: This repository was created as a disconnected fork of oauth2-proxy/oauth2-proxy specifically for OpenShift Data Hub and Red Hat OpenShift AI environments. The project has been streamlined to support only OIDC and OpenShift OAuth providers, with a focus on FIPS compliance and enterprise requirements.

Original oauth2-proxy History:

  • 2020-03-29: oauth2-proxy was renamed from pusher/oauth2_proxy to oauth2-proxy/oauth2-proxy
  • 2018-11-27: oauth2-proxy was forked from bitly/OAuth2_Proxy

This fork maintains the MIT license and acknowledges the excellent foundation provided by the oauth2-proxy community while serving the specific needs of the OpenShift ecosystem.

License

kube-auth-proxy is distributed under The MIT License, maintaining compatibility with its oauth2-proxy origins.

Acknowledgments

This project builds upon the excellent work of the oauth2-proxy community. We gratefully acknowledge their contributions to the open-source authentication proxy ecosystem.

Special thanks to the OpenShift and Red Hat communities for their guidance on enterprise authentication requirements and FIPS compliance standards.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 97.9%
  • Other 2.1%