Advanced Security Features (CLOUD)

Methods to protect your Anka Build Cloud Controller & Registry.

Overview

  • These features are currently only available for our Enterprise tier customers.

  • You must have at least one node with a Enterprise or higher license joined to the Controller for these features to enable.

We highly recommend that HTTPS/TLS is enabled before using any of these features.

Authentication

We provide several Authentication methods for the Anka Build Cloud. They are split into Human and Programmatic Access.

  • Authentication features are enabled by adding ANKA_ENABLE_AUTH to your Controller and/or Registry configuration and setting it to true.

  • Each one of these methods requires Root Token Authentication is enabled first.

Human Access

These methods are available to a human through a browser and the Controller UI.

Programmatic Access

These methods are available for users and scripts that need to use the Controller API, Registry API, or are using the Anka CLI through ankacluster join --api-* and anka registry --api-* options.

Authorization

By default, Authentication methods (enabled with ANKA_ENABLE_AUTH) will not use Authorization/permissions and allow any credential to connect to all API endpoints or pages in the UI. In order to enable Authorization, you will need to include specific ENVs in your config:

  • ANKA_ENABLE_CONTROLLER_AUTHORIZATION works for both combined and standalone (docker) packages.
  • ANKA_ENABLE_AUTHORIZATION is only for the standalone (native or docker) registry packages.
  • ANKA_ENABLE_REGISTRY_AUTHORIZATION is for the combined (controller + registry in one binary) package only.
This feature requires Enterprise Plus. The regular enterprise license automatically adds all permissions to each certificate or token that is used and gives no control over them.
This also requires that you’ve enabled Root Token Authentication, giving you super user access to the controller UI and permissions.
Do not confuse Node Groups with Permission Groups.

Permission Groups

Permission groups are configurable from your Controller’s https://<controller address>/#/permission-groups page. You can target and add permissions for either the group name or the username (which is different between the various Advanced Security Features we offer).

HTTPS/TLS

How to protect your Controller UI, API, and and Registry API with HTTPS/TLS.

Root Token Authentication

How to protect your Controller UI, API, and Registry API with a Root Token.

UAK / TAP Authentication

How to protect your Controller UI, API, and Registry API with a Root Token and/or User API keys.

MTLS / Certificate Authentication

How to protect your Controller UI, API, and Registry API with Certificates.

Configuring OpenID Connect (OIDC) / SSO based authentication

How to set up OIDC / SSO for the Anka Build Cloud Controller UI.