A Device is a representation by the Cluster of a User's machine. A Device can be optionally registered/enrolled or re-registered by a logged-in User via the command octelium auth device register or simply octelium auth dev. However, it's up to access control to allow or deny a User based on their Device information (read more about Device-based access control here). A Device belongs to the one User that registered it. One or more User's Sessions can belong to the same Device.
Default State
By default, every Device must be manually approved by the Cluster administrators via the octeliumctl update command (see below here). In other words, any Session with a Device will not be able to interact with the Cluster APIs or access any of its Services until that Device is approved. You can however enable Device auto-approval both for a specific User (read more here) or globally, even though this is strongly discouraged, at the ClusterConfig as follows:
1kind: ClusterConfig2metadata:3name: cluster-config4spec:5device:6human:7defaultState: PENDING8workload:9defaultState: ACTIVE
Per User Limit
You can also set an upper limit of maximum Devices allowed per User as follows:
1kind: ClusterConfig2metadata:3name: cluster-config4spec:5device:6human:7maxPerUser: 208workload:9maxPerUser: 100
And as always, you update the ClusterConfig via the command octeliumctl apply (read more here).
Approving Devices
You can approve a Device simply as follows:
octeliumctl update device --approve <DEVICE_NAME>
Rejecting Devices
You can reject a Device simply as follows:
octeliumctl update device --reject <DEVICE_NAME>
Rejected Devices are still managed by the Cluster but their Users are not authorized to access the Cluster APIs or Services until they are approved again.
Access Control
You can control access to Services in your Policies based on the Device information. Here is an example where you only allow LINUX or MAC Devices:
1kind: Policy2metadata:3name: allowed-devices4spec:5rules:6- effect: ALLOW7condition:8match: ctx.device.status.osType in ["LINUX", "MAC"]