Mirantis Kubernetes Engine 3.4.0 Two-Factor Authentication
Compatible with a host of password services and authenticators, two-factor authentication now enhances Mirantis Kubernetes Engine access security
Two-factor authentication (2FA) adds an extra layer of security when logging into Mirantis Kubernetes Engine (MKE). With 2FA, you still have to log in with your username and password, but you must also provide another factor of authentication that only you know or can access.
For MKE, the second form of authentication is a code generated by an application. After you enable 2FA, MKE generates an authentication code any time you attempt to sign into your MKE account. The only way you can sign into your account is if you can provide both your password and a correlated code, generated by a Time-Based One-Time-Password (TOTP) application.
As of MKE 3.4.0, 2FA only protects access to the administrative webUI. Enabling 2FA for other access methods, like CLI access via client bundle, and access to the REST API, may be supported in future releases.
Configuring MKE for 2FA with a TOTP Mobile Application
A time-based one-time password (TOTP) application automatically generates an authentication code that changes after a certain period of time. At the time of this writing, you can consider TOTP applications such as 1Password, Authy, LastPass Authenticator, Google Authenticator, or Yubico Authenticator with a registered YubiKey for use with MKE.
- Navigate to the Security page of your user Profile and click to enable two-factor authentication.
- Scan the QR code using your mobile device's application. After scanning, the application displays a six-digit code that you can enter into MKE.
- The TOTP mobile application saves your MKE account and generates a new authentication code every few seconds. On MKE, type the code and click Enable.
- Once you enable two-factor authentication, MKE generates a set of one-time use recovery codes, which can help you get back into your account if you lose access to your phone, password repository site, or keyfob. Save your recovery codes in a safe place.
Mirantis Kubernetes Engine 2FA presents a QR code that lets you easily register a mobile authentication app that provides time-based one-time passwords (TOTP).
Mirantis Kubernetes Engine generates one-time codes enabling access if you lose your phone or other authenticator. Keep these in a safe place.
Accessing MKE using two-factor authentication
With two-factor authentication enabled, you will need to provide an authentication code when accessing MKE through your browser. If you have set up two-factor authentication using a TOTP application on your smartphone, you can generate an authentication code for MKE at any time. In most cases, just launching the application will generate a code automatically. The code generated may be valid for a short period of time, often 30 seconds, before it changes to a new one.
To sign in, just provide the code with your username and password
Mirantis Kubernetes Engine 2FA login: just provide the code from your authenticator, along with your username and password.
In a rare case where your authentication fails several times, it may help to synchronize your smart phone's clock with your mobile provider.
We strongly encourage using two-factor authentication to secure your account. If you need to disable 2FA, however, we recommend that you enable it again as soon as possible.
To disable, navigate to the Security page of your user Profile and click to disable.
If you Lose your Authenticator
If you lose access to your phone, you may not be able to authenticate to MKE. During two-factor authentication configuration, MKE provides a set of recovery codes. You can use each of these codes as a one-time use authentication code. If you have misplaced those codes, the only way to log into your MKE account is by asking the admin to disable two-factor authentication for you. You can then re-enable two-factor authentication with your new phone.
What's Next for 2FA on MKE?
Given the importance of securing your Kubernetes clusters, future versions of MKE will include additional support for 2FA, including:
- Mandatory enforcement of 2FA for an organization, letting you enforce 2FA for all members of an organization, and provide methods for checking and alerting employees who are not in compliance.
- Configurable 2FA will let administrators set various configurations of 2FA to improve user experience and compliance.
Try 2FA on MKE
It's easy to try two-factor authentication on Mirantis Kubernetes Engine. The one requirement is a Mirantis Kubernetes Engine cluster, which you can deploy free at small scales. Just follow the link to our download recipe, to deploy an MKE test cluster on almost any virtual infrastructure.