Mirantis Kubernetes Engine 3.4.0 Two-Factor Authentication

Ryan Zhang - April 16, 2021 - , , , , , ,

Compatible with a host of password services and authenticators, two-factor authentication now enhances Mirantis Kubernetes Engine access security

Two-factor authentication (2FA) adds an extra layer of security when logging into Mirantis Kubernetes Engine (MKE). With 2FA, you still have to log in with your username and password, but you must also provide another factor of authentication that only you know or can access.

For MKE, the second form of authentication is a code generated by an application. After you enable 2FA, MKE generates an authentication code any time you attempt to sign into your MKE account. The only way you can sign into your account is if you can provide both your password and a correlated code, generated by a Time-Based One-Time-Password (TOTP) application.

As of MKE 3.4.0, 2FA only protects access to the administrative webUI. Enabling 2FA for other access methods, like CLI access via client bundle, and access to the REST API, may be supported in future releases.

Configuring MKE for 2FA with a TOTP Mobile Application

A time-based one-time password (TOTP) application automatically generates an authentication code that changes after a certain period of time. At the time of this writing, you can consider TOTP applications such as 1Password, Authy, LastPass Authenticator, Google Authenticator, or Yubico Authenticator with a registered YubiKey for use with MKE.

To configure:

  1. Navigate to the Security page of your user Profile and click to enable two-factor authentication.
  2. Mirantis Kubernetes Engine 2FA presents a QR code that lets you easily register a mobile authentication app that provides time-based one-time passwords (TOTP).
  3. Scan the QR code using your mobile device’s application. After scanning, the application displays a six-digit code that you can enter into MKE.
  4. The TOTP mobile application saves your MKE account and generates a new authentication code every few seconds. On MKE, type the code and click Enable.
  5. Once you enable two-factor authentication, MKE generates a set of one-time use recovery codes, which can help you get back into your account if you lose access to your phone, password repository site, or keyfob. Save your recovery codes in a safe place.
  6. Mirantis Kubernetes Engine generates one-time codes enabling access if you lose your phone or other authenticator. Keep these in a safe place.

Accessing MKE using two-factor authentication

With two-factor authentication enabled, you will need to provide an authentication code when accessing MKE through your browser. If you have set up two-factor authentication using a TOTP application on your smartphone, you can generate an authentication code for MKE at any time. In most cases, just launching the application will generate a code automatically. The code generated may be valid for a short period of time, often 30 seconds, before it changes to a new one.

To sign in, just provide the code with your username and password

Mirantis Kubernetes Engine 2FA login: just provide the code from your authenticator, along with your username and password.

In a rare case where your authentication fails several times, it may help to synchronize your smart phone’s clock with your mobile provider.

Disabling 2FA

We strongly encourage using two-factor authentication to secure your account. If you need to disable 2FA, however, we recommend that you enable it again as soon as possible.

To disable, navigate to the Security page of your user Profile and click to disable.

If you Lose your Authenticator

If you lose access to your phone, you may not be able to authenticate to MKE. During two-factor authentication configuration, MKE provides a set of recovery codes. You can use each of these codes as a one-time use authentication code. If you have misplaced those codes, the only way to log into your MKE account is by asking the admin to disable two-factor authentication for you. You can then re-enable two-factor authentication with your new phone.

What’s Next for 2FA on MKE?

Given the importance of securing your Kubernetes clusters, future versions of MKE will include additional support for 2FA, including:

  • Mandatory enforcement of 2FA for an organization, letting you enforce 2FA for all members of an organization, and provide methods for checking and alerting employees who are not in compliance.
  • Configurable 2FA will let administrators set various configurations of 2FA to improve user experience and compliance.

Try 2FA on MKE

It’s easy to try two-factor authentication on Mirantis Kubernetes Engine. The one requirement is a Mirantis Kubernetes Engine cluster, which you can deploy free at small scales. Just follow the link to our download recipe, to deploy an MKE test cluster on almost any virtual infrastructure.

Deploy Mirantis Secure Registry on any Kubernetes (Minikube, EKS, GKE, K0S, etc.)

Note: this blog post was originally published by Avinash Desireddy on Medium. You can view the original post here. Docker Containers, Kubernetes, CNCF, and many other relevant projects completely changed how we package, ship, and run applications. As you all know, Kubernetes has become a defacto standard for running applications. At the same time, container registries and chart repositories play a …

Deploy Mirantis Secure Registry on any Kubernetes (Minikube, EKS, GKE, K0S, etc.)
Software Supply Chain Security on Any Kubernetes with Mirantis Secure Registry 3.0

Security and cloud infrastructure availability concerns have been in the news of late with the recent Log4j vulnerabilities and outages at some of the world’s largest public cloud providers. The security and integrity of your container-based images has never been more important. Many have taken to Kubernetes to assist in the deployment and management of their container-based workloads, and are leveraging …

Software Supply Chain Security on Any Kubernetes with Mirantis Secure Registry 3.0
A Year in Review: A Look Back at the Most Powerful Mirantis Resources from 2021

2021 has been quite the year - and while there have been plenty of not-so-good times, we at Mirantis would like to take a moment to focus on the good. We are thankful for the opportunity to provide our readers with informative, accurate, and, above all, educational content via our company blog. We try not only to include helpful information …

A Year in Review: A Look Back at the Most Powerful Mirantis Resources from 2021
Service Mesh for Mere Mortals
A Guide to Istio and How to Use Service Mesh Platforms
Technical training
Learn Kubernetes & OpenStack from Deployment Experts
Prep for certification!
View schedule
Mirantis Webstore
Purchase Kubernetes support