In order to enable oidc authenticator in kube-apiserver
,
we need to have TLS enabled between kubectl
and kube-apiserver
, as well as between kube-apiserver
and OpenID Provider(dex-worker
here)
For simplicity, we will use cfssl to create the bundles.
Checkout and build dex
git clone [email protected]:coreos/dex.git
cd dex
./build
Create certs
cd examples/tls-setup
make
mv certs dex-certs
(edit the req-csr.json, change the 'CN' to kube-apiserver)
make (or you can run commands manually to sign the certs for the kube-apiserver using the previously generated CA file)
mv certs apiserver-certs
Start dex-worker
./bin/dex-worker \
--tls-cert-file=examples/tls-setup/dex-certs/dex.pem \
--tls-key-file=examples/tls-setup/dex-certs/dex-key.pem \
--listen="https://127.0.0.1:5556" \
--issuer="https://127.0.0.1:5556" \
--clients=./static/fixtures/clients.json \
--connectors=./static/fixtures/connectors.json.sample \
--email-cfg=./static/fixtures/emailer.json.sample \
--users=./static/fixtures/users.json.sample \
--no-db
#Start k8s cluster
we will use the hack/local-up-cluster.sh
to launch the cluster. But we need to add following flags to the kube-apiserver
:
--secure-port=8001
This will enable tls connection between kube-apiserver and kubectl
--tls-cert-file=PATH_TO_APISERVER_CERT_FILE
Path to the tls cert file
--tls-private-key-file=PATH_TO_APISERVER_KEY_FILE
Path to the tls key file
--oidc-issuer-url=https://127.0.0.1:5556
OIDC issuer's address, MUST use 'https'
--oidc-client-id=OIDC_CLIENT_ID
The client ID that is shared between kube-apiserver and example app below. kube-apiserver will use the client-id to verify the token's audience
--oidc-ca-file=PATH_TO_DEX_CA_FILE
trusted CA file for verifying the certs from the OIDC provider
--oidc-username-claim="email"
This specify which claim in the response ID token that we want to use as the user's name
Then we can launch the cluster:
hack/local-up-cluster.sh
Set cluster config in kube config:
cluster/kubectl.sh config set-cluster local --server=https://127.0.0.1:8001 --certificate-authority=PATH_TO_CA_FILE
cluster/kubectl.sh config set-context local --cluster=local --user=cluster-tester
cluster/kubectl.sh config use-context local
Note that the --user
in set-context
can be differnt from [email protected]
. The kube-apiserver will authenticate and get the real user name([email protected]
) from the returned ID token.
#Get token
Next, we need to get some token so that the api server can authenticate us as [email protected]
, we will use the example-app
in dex to do this:
./bin/example-app \
--trusted-ca-file=examples/tls-setup/dex-certs/ca.pem \
--client-id="XXX" \
--client-secret="secrete" \
--redirect-url="http://127.0.0.1:5555/callback" \
--discovery="https://127.0.0.1:5556" \
--listen="http://127.0.0.1:5555"
Then goto http://127.0.0.1:5555 and login as email: [email protected], passwd: bones
. You should get an token returned.
Next save that token in kubeconfig:
cluster/kubectl.sh config set-credentials cluster-tester --token=$TOKEN
#Ready to go!
Congratulations! You should be able to be authenticated and launch pod now!
cluster/kubectl.sh create -f examples/pod
cluster/kubectl.sh get pods
Note: If you run into Error from server: error when creating "examples/pod": Pod "nginx" is forbidden: service account default/default was not found, retry after the service account is created
, please just disable the admission control for the apiserver, which is done by removing --admission-control="${ADMISSION_CONTROL}
in local-up-cluster.sh
#TODO: Add simple examples that uses authorization as well. Disable apiserver's normal http connection.