Cryostat, a tool for managing JDK Flight Recorder data on Kubernetes, is now integrated with the built-in OAuth server on Red Hat OpenShift as part of the tech preview release of Cryostat 2.1. When logging into Cryostat on OpenShift, you will be redirected to the OpenShift login page and prompted to enter the username and password corresponding to your OpenShift user account. Upon success, you can stay logged in during multiple sessions—for 24 hours by default.
What does Cryostat use OpenShift authentication for?
In order for Cryostat to monitor Java applications running in your containerized Java Virtual Machines (JVMs), Cryostat searches for target applications within the same namespace where Cryostat is deployed. This means that Cryostat needs permission from your OpenShift user account to discover Kubernetes objects such as pods and deployments. Whenever a user makes a request to start, stop, or save a JDK flight recording on a target application, Cryostat ensures that the user's requests come from the same namespace, and that the user has access to view and manage JDK flight recordings on each target application.
Changes to Cryostat authentication since Cryostat 2.0
Cryostat 2.0 required users to paste their authorization token from the OpenShift console into the Cryostat login page and re-enter their token upon refreshing a browser session. Cryostat 2.1 combines the OpenShift OAuth server with Cryostat's RBAC permissions to give users configurable permissions for each of their OpenShift user accounts. By default, each web browser session lasts 24 hours.
How to log in to Cryostat 2.1
This article assumes you have an instance of Cryostat running in an OpenShift 4.6+ cluster. You can check out Getting started with Cryostat 2.1 to learn how to install Cryostat.
Once you have an instance of Cryostat running, log in to the OpenShift web console, navigate to Installed Operators, and select Cryostat Operator. From there, select your desired Cryostat instance under the Cryostat tab. Click the Application URL link to access the login screen, where you can enter your username and password for your OpenShift user account.
For access to all of Cryostat's features, you may need to request RBAC permissions for your OpenShift user account. Users with limited permissions have access only to the Cryostat features for which they are authorized. For example, users with read-only permissions can view JDK flight recordings created by other users but cannot create or delete recordings. At the time of writing, the following user permissions are required to access all of the features in Cryostat:
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- get
- apiGroups:
- ""
resources:
- replicationcontrollers
- endpoints
verbs:
- get
- apiGroups:
- operator.cryostat.io
resources:
- cryostats
verbs:
- create
- delete
- get
- apiGroups:
- operator.cryostat.io
resources:
- flightrecorders
- recordings
verbs:
- create
- delete
- get
- patch
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- get
- apiGroups:
- apps
resources:
- daemonsets
- replicasets
- statefulsets
verbs:
- get
Overview of Cryostat RBAC permissions
If more than one user is managing JDK flight recordings with Cryostat in a single namespace, and you want to give each user specific permissions for Cryostat features, create a role with your desired Cryostat-specific RBAC permissions and bind that role to the desired user account. In general, Cryostat uses get permissions for the apiGroups: "" and apiGroups: apps resources listed in the previous section, to discover any target applications within the namespace. The create, delete, get, and patch permissions for Cryostat's flightrecorders and recordings resources allow users to create, delete, retrieve, and save JDK flight recordings from their target applications.
Conclusion
This article explains how to log in to Cryostat 2.1 on OpenShift and outlines the required RBAC permissions for your user account. To learn more about defining RBAC permissions, visit the OpenShift Container Platform documentation. For more information about Cryostat, visit cryostat.io. For questions, comments, and feedback, feel free to connect with us on Github or join our mailing list.
Last updated: May 19, 2022