Cryostat, a tool for managing JDK Flight Recorder data on Kubernetes, is now integrated with the built-in OAuth server on Red Hat OpenShift as part of the tech preview release of Cryostat 2.1. When logging into Cryostat on OpenShift, you will be redirected to the OpenShift login page and prompted to enter the username and password corresponding to your OpenShift user account. Upon success, you can stay logged in during multiple sessions—for 24 hours by default.
What does Cryostat use OpenShift authentication for?
In order for Cryostat to monitor Java applications running in your containerized Java Virtual Machines (JVMs), Cryostat searches for target applications within the same namespace where Cryostat is deployed. This means that Cryostat needs permission from your OpenShift user account to discover Kubernetes objects such as pods and deployments. Whenever a user makes a request to start, stop, or save a JDK flight recording on a target application, Cryostat ensures that the user's requests come from the same namespace, and that the user has access to view and manage JDK flight recordings on each target application.
Changes to Cryostat authentication since Cryostat 2.0
Cryostat 2.0 required users to paste their authorization token from the OpenShift console into the Cryostat login page and re-enter their token upon refreshing a browser session. Cryostat 2.1 combines the OpenShift OAuth server with Cryostat's RBAC permissions to give users configurable permissions for each of their OpenShift user accounts. By default, each web browser session lasts 24 hours.
How to log in to Cryostat 2.1
This article assumes you have an instance of Cryostat running in an OpenShift 4.6+ cluster. You can check out the Cryostat Get Started guide to learn how to install Cryostat.
Once you have an instance of Cryostat running, log in to the OpenShift web console, navigate to Installed Operators, and select Cryostat Operator. From there, select your desired Cryostat instance under the Cryostat tab. Click the Application URL link to access the login screen, where you can enter your username and password for your OpenShift user account.
For access to all of Cryostat's features, you may need to request RBAC permissions for your OpenShift user account. Users with limited permissions have access only to the Cryostat features for which they are authorized. For example, users with read-only permissions can view JDK flight recordings created by other users but cannot create or delete recordings. At the time of writing, the following user permissions are required to access all of the features in Cryostat:
- apiGroups: - "" resources: - pods verbs: - create - get - apiGroups: - "" resources: - replicationcontrollers - endpoints verbs: - get - apiGroups: - operator.cryostat.io resources: - cryostats verbs: - create - delete - get - apiGroups: - operator.cryostat.io resources: - flightrecorders - recordings verbs: - create - delete - get - patch - apiGroups: - apps resources: - deployments verbs: - create - get - apiGroups: - apps resources: - daemonsets - replicasets - statefulsets verbs: - get
Overview of Cryostat RBAC permissions
If more than one user is managing JDK flight recordings with Cryostat in a single namespace, and you want to give each user specific permissions for Cryostat features, create a role with your desired Cryostat-specific RBAC permissions and bind that role to the desired user account. In general, Cryostat uses
get permissions for the
apiGroups: "" and
apiGroups: apps resources listed in the previous section, to discover any target applications within the namespace. The
patch permissions for Cryostat's
recordings resources allow users to create, delete, retrieve, and save JDK flight recordings from their target applications.
This article explains how to log in to Cryostat 2.1 on OpenShift and outlines the required RBAC permissions for your user account. To learn more about defining RBAC permissions, visit the OpenShift Container Platform documentation. For more information about Cryostat, visit cryostat.io. For questions, comments, and feedback, feel free to connect with us on Github or join our mailing list.