1 - Machine Registration
Machine registration is built on top of the extremely fast WireGuard® technology built in to Linux. A technology dubbed SideroLink builds upon WireGuard in order to provide a fully automated way of setting up and maintaining a WireGuard tunnel between Omni and each registered machine. Once the secure tunnel is established between a machine it is possible to manage a machine from nearly anywhere in the world.
The SideroLink network is an overlay network used within the data and management planes within Omni. The sole requirements are that your machine has egress to port 443 and the WireGuard port assigned to your account.
Warning
There are some NAT configurations that are not compatible with WireGuard.2 - Omni KMS Disk Encryption
Starting from 1.5.0, Talos supports KMS (Key Management Server) disk encryption key types.
KMS keys are randomly generated on the Talos node and then sealed using the KMS server.
A sealed key is stored in the luks2
metadata.
To decrypt a disk, Talos node needs to communicate with the KMS server and decrypt the sealed key.
The KMS server endpoint is defined in the key configuration.
If the Cluster
resource has diskencryption
enabled, Omni creates a config patch for each cluster
machine and sets key’s KMS endpoint to the Omni gRPC API.
Each disk encryption key is sealed using an AES256 key managed by Omni:
- Omni generates a random AES256 key for a machine when it is allocated.
- When the machine is wiped the encryption key is deleted.
Note
KMS encryption makes cluster more sensitive to Omni downtime. If a node is restarted it has to be able to reach Omni to unseal the disk encryption key.3 - Authentication and Authorization
Auth0
Github
In order to login with GitHub you must use your primary verified email.
SAML
Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). Omni plays the role of service provider.
To enable SAML on your account please submit a ticket in Zendesk. Or reach out to us in the #omni channel in Slack.
SAML alters Omni user management:
- Users are automatically created on the first login into Omni:
- the first user gets
Admin
role; - any subsequently created user gets
None
role. Admin
can change other users’ roles.- Creating or deleting a user is not possible.
- Omni gets user attributes from SAML assertion and adds them as labels to
Identity
resource withsaml.omni.sidero.dev/
prefix. - ACL can be used to adjust fine grained permissions instead of changing the user roles.