< Documentation Home

---

Nadrama Authentication

There are two areas of authentication with Nadrama:

1. Console Authentication

2. Cluster Authentication

Console Authentication

The Nadrama Console is where you sign up, create your account, and manage your cloud providers and clusters.

To authenticate with the Console, you do so via our Nadrama Authentication service.

Our authentication service uses OIDC to authenticate:

• CLI access for Users and Service Users e.g. to perform operations you would otherwise perform in the Console UI

• Cluster access for Users and Service Users e.g. getting an auth token for your kubeconfig to use with tools like kubectl / helm / k9s

Cluster Authentication

The Kubernetes API in each cluster supports authentication via 3 methods:

1. Nadrama authentication service OIDC tokens

   User & Service User authentication via OIDC tokens

   e.g. using the Nadrama CLI login command as described above

2. Kubernetes Service Accounts

   In-cluster Service Accounts use the clusters own OIDC server

   This uses the standard Kubernetes Service Accounts feature.

   Note: each cluster has an OIDC JWKs endpoint, so you can use OIDC federation to auth Service Accounts to other systems - and because Nadrama authentication service supports OIDC federation, it means you can use a Service Account from one cluster to access another cluster (such as running a CI/CD cluster to deploy to other clusters).

3. Kubernetes Certificate-based Authentication

   Component authentication for each Kubernetes component is done via per-cluster CA issued certificates

   e.g. every VM running Kubernetes components such as kubelet has a unique certificate issued.