Knative Backstage Security¶
Author: Ali Ok, Principal Software Engineer @ Red Hat
What's new?¶
In a previous blog post, we talked about how to integrate Knative with Backstage. In this blog post, we will talk about how to secure the communication between the Knative Event Mesh plugin and the backend.
Previously, the backend was running with a service account that had full access to the Kubernetes cluster. This was not secure, as the backend could access any resource in the cluster. Also, the backend didn't have any authentication mechanism, so anyone who could access the backend could access the Kubernetes resources, although they were only read-only.
To solve these issues, we have done 2 things:
- The backend now uses a service account with limited permissions.
- The backend now requires a token to authenticate (passing it along to the API server), for each request coming from the plugin.
How it works?¶
 Backstage Security
Backstage Security
Similar to other Backstage plugins, we wanted the plugin administrator to configure the plugin by setting up the necessary things like the backend URL and the token. It is a similar approach with the Backstage Kubernetes plugin, where the user needs to provide the URL and the token.
The token is stored in Backstage configuration and is passed to the backend with each request. The backend uses this token to authenticate to the Kubernetes API server. The token is a service account token that has the necessary permissions to list the Knative Eventing resources in the cluster.
...
catalog:
  providers:
    knativeEventMesh:
      dev:
        token: '${KNATIVE_EVENT_MESH_TOKEN}'
        baseUrl: "http://eventmesh-backend.knative-eventing.svc:8080"
        schedule: # optional; same options as in TaskScheduleDefinition
          # supports cron, ISO duration, "human duration" as used in code
          frequency: { minutes: 1 }
          # supports ISO duration, "human duration" as used in code
          timeout: { minutes: 1 }
The token is taken from the KNATIVE_EVENT_MESH_TOKEN environment variable. Backstage supports environment variables in the configuration files, so you can set the token as an environment variable before starting the Backstage instance. Actually, Backstage has other mechanisms, including configuration files, file includes and others. You can check the Backstage documentation for more information.  
How to create the ServiceAccount, ClusterRole, ClusterRoleBinding, Secret and the token for that Secret is documented in the plugin's readme file.
Demo and quick start¶
If you would like to see the plugin in action, you can install the backend in your Kubernetes cluster and the plugin in your Backstage instance.
However, for a quicker look at the plugin, you can check out the demo video. The demo video is recorded with the quick start available in Ali Ok's demo repository.
Contributions welcome¶
We are looking for contributors to help us improve the plugin and the backend. If you are interested in contributing, please check out the README file of the plugins repository. How to start the backend, how to install the plugin, and how to modify the plugin are all documented there.
There are a few issues that are marked as good first issues and we are looking for help with them. If you are interested in contributing, please check out the good first issues.
Contact¶
If you have any questions or feedback, please feel free to reach out to us. You can find us in the CNCF Slack in the #knative channel.