How to log into Cryostat 2.1 on OpenShift: SSO for all

Cryostat, a tool for managing JDK Flight Recorder data on Kubernetes, is now integrated with the built-in OAuth server on Red Hat OpenShift as part of the tech preview release of Cryostat 2.1. When logging into Cryostat on OpenShift, you will be redirected to the OpenShift login page and prompted to enter the username and password corresponding to your OpenShift user account. Upon success, you can stay logged in during multiple sessions—for 24 hours by default.

What does Cryostat use OpenShift authentication for?

In order for Cryostat to monitor Java applications running in your containerized Java Virtual Machines (JVMs), Cryostat searches for target applications within the same namespace where Cryostat is deployed. This means that Cryostat needs permission from your OpenShift user account to discover Kubernetes objects such as pods and deployments. Whenever a user makes a request to start, stop, or save a JDK flight recording on a target application, Cryostat ensures that the user's requests come from the same namespace, and that the user has access to view and manage JDK flight recordings on each target application.

Changes to Cryostat authentication since Cryostat 2.0

Cryostat 2.0 required users to paste their authorization token from the OpenShift console into the Cryostat login page and re-enter their token upon refreshing a browser session. Cryostat 2.1 combines the OpenShift OAuth server with Cryostat's RBAC permissions to give users configurable permissions for each of their OpenShift user accounts. By default, each web browser session lasts 24 hours.

How to log in to Cryostat 2.1

This article assumes you have an instance of Cryostat running in an OpenShift 4.6+ cluster. You can check out Getting started with Cryostat 2.1 to learn how to install Cryostat.

Once you have an instance of Cryostat running, log in to the OpenShift web console, navigate to Installed Operators, and select Cryostat Operator. From there, select your desired Cryostat instance under the Cryostat tab. Click the Application URL link to access the login screen, where you can enter your username and password for your OpenShift user account.

For access to all of Cryostat's features, you may need to request RBAC permissions for your OpenShift user account. Users with limited permissions have access only to the Cryostat features for which they are authorized. For example, users with read-only permissions can view JDK flight recordings created by other users but cannot create or delete recordings. At the time of writing, the following user permissions are required to access all of the features in Cryostat:

- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - get
- apiGroups:
  - ""
  resources:
  - replicationcontrollers
  - endpoints
  verbs:
  - get
- apiGroups:
  - operator.cryostat.io
  resources:
  - cryostats
  verbs:
  - create
  - delete
  - get
- apiGroups:
  - operator.cryostat.io
  resources:
  - flightrecorders
  - recordings
  verbs:
  - create
  - delete
  - get
  - patch
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - create
  - get
- apiGroups:
  - apps
  resources:
  - daemonsets
  - replicasets
  - statefulsets
  verbs:
  - get

Overview of Cryostat RBAC permissions

If more than one user is managing JDK flight recordings with Cryostat in a single namespace, and you want to give each user specific permissions for Cryostat features, create a role with your desired Cryostat-specific RBAC permissions and bind that role to the desired user account. In general, Cryostat uses get permissions for the apiGroups: "" and apiGroups: apps resources listed in the previous section, to discover any target applications within the namespace. The create, delete, get, and patch permissions for Cryostat's flightrecorders and recordings resources allow users to create, delete, retrieve, and save JDK flight recordings from their target applications.

Conclusion

This article explains how to log in to Cryostat 2.1 on OpenShift and outlines the required RBAC permissions for your user account. To learn more about defining RBAC permissions, visit the OpenShift Container Platform documentation. For more information about Cryostat, visit cryostat.io. For questions, comments, and feedback, feel free to connect with us on Github or join our mailing list.

Last updated: September 20, 2023

What’s up next?

The microservice architectural approach is more than just about technology: It reaches into the foundation of your organization to allow you to build truly scalable, adaptive, complex systems that help a business adapt to rapidly changing competitive markets. In Microservices for Java Developers, you'll get a hands-on introduction to frameworks and containers through a handful of familiar patterns.

Get the free e-book

How to log into Cryostat 2.1 on OpenShift: SSO for all

What does Cryostat use OpenShift authentication for?

Changes to Cryostat authentication since Cryostat 2.0

How to log in to Cryostat 2.1

Overview of Cryostat RBAC permissions

Conclusion

Every layer counts: Defense in depth for AI agents with Red Hat AI

Fun in the RUN instruction: Why container builds with distroless images can surprise you

Trusted software factory: Building trust in the agentic AI era

Build a zero trust AI pipeline with OpenShift and RHEL CVMs

Red Hat Hardened Images: Top 5 benefits for software developers

Platforms

Build

Quicklinks

Communicate

RED HAT DEVELOPER

Red Hat legal and privacy links

Red Hat legal and privacy links