Create an integration to manage access to a Rancher instance
Rancher is a Kubernetes management platform that simplifies the deployment and management of clusters across any environment, enhancing flexibility, scalability, and resource efficiency.
For organizations requiring a more robust solution, SUSE Rancher Prime offers a hardened and fully-supported enterprise-grade experience.
By integrating with this ecosystem, Apono helps you discover your Kubernetes resources and securely manage access directly through your Rancher instance.
Prerequisite
Item
Description
Create a dedicated Apono user
Follow these steps to create a dedicated user for Apono:
In Rancher, with a user-friendly name, such as apono-provisionser-user-role.
You must create a global role (Create Global Role) that grants the following resource:
Verbs: list
Resource:
Locate the new role.
Click ☰ > Edit YAML.
Above the metadata property, add the cluster-owner role.
Assigning the cluster-owner role via inheritedClusterRoles does not provide access to the local cluster (the Rancher control plane cluster). This role inheritance applies only to downstream user clusters and excludes Rancher’s internal management plane.
Click Save.
with a user-friendly name, such as apono-provisioner-user.
Assign the new dedicated user (apono-provisioner-user) to the new local user.
You can now .
Integrate Rancher
You can also use the steps below to integrate with Apono using Terraform. In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Rancher. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Setting
Description
💡Are you integrating with Apono using Terraform?
If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:
At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Now that you have completed this integration, you can that grant permission to your Rancher instance.
users
API Groups: management.cattle.io
Logged in as the new dedicated user (apono-provisioner-user), create an API key and copy the Access Key and Secret Key.
Create a secret for the dedicated user to use during the Apono integration setup.
Use the values from step 7 to generate the secret.
Hostname of the Rancher server
Port
Rancher port value
Certificate Authority (optional)
(Optional) Ensures that the Kubernetes API server you are communicating with is trusted and authentic
Leave this field blank to connect the cluster where the Apono connector is deployed.
Rancher UI URL (optional)
(Optional) URL of your Rancher UI
This URL must be reachable from all the hosts that you add.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Setting
Description
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated
Learn more about the .
User cleanup afteraccess is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources
Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters.
To view the message as it appears to end users, click Preview.
(Optional) Fallback approver if no resource owner is found
Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource
Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated.
Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Create an integration to manage access to Grafana resources
Grafana is an open-source observability platform that enables teams to monitor infrastructure, applications, and business metrics through interactive dashboards and alerts.
With this integration, Apono helps you to manage access to Grafana's data sources based on access flow configurations.
Prerequisites
Item
Description
Integrate Grafana
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Grafana. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Setting
Description
If you select the Apono secret manager, enter your Grafana API Key.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Setting
Description
💡Are you integrating with Apono using Terraform?
If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:
At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Now that you have completed this integration, you can that grant permission to your Grafana resources.
(Optional) Fallback approver if no is found
Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource
Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated.
Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
Be sure to copy the key after it has been generated.
Create your secret based on your Grafana API key:
"api_key": <GRAFANA_API_KEY>
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources
Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters.
To view the message as it appears to end users, click Preview.
Create an integration to manage access to GitHub repositories and roles
GitHub is a code hosting and collaboration platform that enables developers to manage project versions, track changes, and collaborate on software development.
Through this integration, Apono helps you securely manage access to your GitHub repositories, organizational, team and owner roles.
Prerequisites
Item
Description
Integrate Github
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click GitHub. The Connect Integration page appears.
Under Discovery, select one or multiple resource types.
Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
Click Next. The Integration Config page appears.
Define the Integration Config settings.
Setting
Description
💡Are you integrating with Apono using Terraform?
If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:
At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Now that you have completed this integration, you can that grant permission to your GitHub instance.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Setting
Description
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated
Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources
Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters.
To view the message as it appears to end users, click Preview.
GitHub authentication token
Under Select scopes, click the checkboxes next to the following parent scopes. By selecting each parent scope, all the children scopes will also be selected:
repo
admin:org
user
Apono Secret
Value generated in one of the following environments
Create a secret for the GitHub instance. For the key, use token. For the value, use the generated GitHub token.
"token": "<GITHUB_ACCESS_TOKEN>"
Apono does not store credentials. The Apono Connector uses the secret to communicate with services in your environment and separate the Apono web app from the environment for maximalsecurity.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
(Optional) Fallback approver if no resource owner is found
Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource
Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated.
Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Create an integration to manage access to ArgoCD resources
ArgoCD is a Kubernetes-native continuous delivery (CD) tool that implements GitOps practices by using Git repositories as the single source of truth for application state.
Through this integration, Apono helps you discover ArgoCD roles and resources and securely manage just-in-time (JIT) access to them.
Prerequisites
Item
Description
Set up Apono in ArgoCD
The steps to set up Apono in ArgoCD depend on where the Apono Connector is running and what permissions it has. The connector’s location determines whether you need to create a new service account, bind roles, or provide a token secret.
Use the tabs below to follow the instructions that match your environment:
Same cluster (cluster-admin): The connector already has full permissions.
Same cluster (limited permissions): Grant the connector’s existing service account the minimal Role/RoleBinding it needs.
Different cluster: Create a dedicated service account in the ArgoCD cluster and provide its token to Apono.
Follow these steps to set up Apono access in ArgoCD:
Open the argocd-cm ConfigMap in your default editor.
Add email to both the OIDC scopes: requestedScopes and groupsClaim
You can now Integrate ArgoCD.
Integrate ArgoCD
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click ArgoCD. The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.
Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Setting
Description
This step is not necessary when the Apono connector is in the same cluster as ArgoCD.
If you select the Apono secret manager, enter the following value:
Kubernetes Service Account Token: Enter the service account token value from step 7 of the on the Different cluster tab.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Setting
Description
💡Are you integrating with Apono using Terraform?
If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:
At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Now that you have completed this integration, you can that grant permission to your ArgoCD resources.
.
This allows ArgoCD to map users by email, in addition to groups.
The following example is an edited ConfigMap.
Define your ArgoCD roles.
Add any global roles in the argocd-rbac-cm configmap's policy.csv for cluster-wide access. Add any project roles in the spec.roles of specific AppProject custom resource definitions (CRDs).
Apono will sync ArgoCD roles (both project and global) from the argocd-rbac-cm ConfigMap. Apono policies can then be applied to grant or revoke Just-In-Time (JIT) access to ArgoCD resources.
Restart the ArgoCD API server for the changes to take effect.
Follow these steps to set up Apono access in ArgoCD:
Copy and save the following snippet as apono-argocd-sa.yaml.
This manifest does two things:
Grants the service account a role with permission to update the argocd-rbac-cm ConfigMap (global roles) and AppProject custom resource definitions (project roles).
Binds that role to the service account so Apono can discover and manage ArgoCD roles.
apono-argocd-sa.yaml
At the shell prompt, apply the file to your ArgoCD cluster.
Open the argocd-cm ConfigMap in your default editor.
Add email to both the OIDC scopes: requestedScopes and groupsClaim.
This allows ArgoCD to map users by email, in addition to groups.
The following example is an edited ConfigMap.
Define your ArgoCD roles.
Add any global roles in the argocd-rbac-cm configmap's for cluster-wide access. Add any in the spec.roles of specific AppProject custom resource definitions (CRDs).
Apono will sync ArgoCD roles (both project and global) from the argocd-rbac-cm ConfigMap. Apono policies can then be applied to grant or revoke Just-In-Time (JIT) access to ArgoCD resources.
Restart the ArgoCD API server for the changes to take effect.
Follow these steps to set up Apono access in ArgoCD:
Copy and save the following snippet as apono-argocd-sa.yaml.
This manifest does three things:
Creates the apono-argocd-sa service account in the argocd namespace.
Grants the service account a role with permission to update the argocd-rbac-cm ConfigMap (global roles) and AppProject custom resource definitions (project roles).
Binds that role to the service account so Apono can discover and manage ArgoCD roles.
apono-argocd-sa.yaml
At the shell prompt, apply the file to your ArgoCD cluster.
Open the argocd-cm ConfigMap in your default editor.
Add email to both the OIDC scopes: requestedScopes and groupsClaim.
This allows ArgoCD to map users by email, in addition to groups.
The following example is an edited ConfigMap.
Define your ArgoCD roles.
Add any global roles in the argocd-rbac-cm configmap's for cluster-wide access. Add any in the spec.roles of specific AppProject custom resource definitions (CRDs).
Apono will sync ArgoCD roles (both project and global) from the argocd-rbac-cm ConfigMap. Apono policies can then be applied to grant or revoke Just-In-Time (JIT) access to ArgoCD resources.
Restart the ArgoCD API server for the changes to take effect.
Generate the service account token.
Make sure you are using a Kubernetes version ≥1.24.
On earlier versions, you may need to retrieve the token from the service account’s Secret.
with the token from step 7. Use the following key-value pair structure when generating the secret. Be sure to replace #K8_SERVICE_TOKEN with the actual value.
You can also input the token directly into the Apono UI during the integration process.
Public URL of your ArgoCD instance
Example: https://argocd.my-domain.com
ArgoCD Namespace
Kubernetes namespace where ArgoCD is installed
Default: argocd
Kubernetes Server URL
(Optional) API server endpoint of the Kubernetes cluster hosting ArgoCD
Provide the URL only when connecting to an external Kubernetes API server.
Leave this field blank when Apono’s connector is running in the same cluster.
Kubernetes Certificate Authority
(Optional) Certificate Authority (CA) bundle used to validate the Kubernetes API server certificate
Provide the CA file if connecting to an external cluster with a custom CA.
Leave this field blank when Apono's connector is running in the same cluster.
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources
Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters.
To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found
Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource
Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated.
Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
# Example in argocd-rbac-cm
policy.csv: |
p, role:readonly, applications, get, */*, allow
p, role:deployer, applications, sync, */*, allow
# Example in an AppProject CRD
roles:
- name: deployer
description: Can sync apps in this project
policies:
- p, proj:team-a:deployer, applications, sync, team-a/*, allow
# Example in argocd-rbac-cm
policy.csv: |
p, role:readonly, applications, get, */*, allow
p, role:deployer, applications, sync, */*, allow
# Example in an AppProject CRD
roles:
- name: deployer
description: Can sync apps in this project
policies:
- p, proj:team-a:deployer, applications, sync, team-a/*, allow
# Example in argocd-rbac-cm
policy.csv: |
p, role:readonly, applications, get, */*, allow
p, role:deployer, applications, sync, */*, allow
# Example in an AppProject CRD
roles:
- name: deployer
description: Can sync apps in this project
policies:
- p, proj:team-a:deployer, applications, sync, team-a/*, allow
