From 24465dc7daefb8378d5203f553d7395ca51d1d8f Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Fri, 21 Apr 2023 19:41:43 -0500 Subject: [PATCH] authelia: Set up OIDC for k8s API server Enabling OpenID Connect authentication for the Kubernetes API server will allow clients, particularly `kubectl` to log in without needing TLS certificates and private keys. --- authelia/README.md | 45 ++++++++++++++++++++++++++++++++ authelia/configuration.yml | 7 +++++ authelia/kustomization.yaml | 1 + authelia/oidc-cluster-admin.yaml | 12 +++++++++ 4 files changed, 65 insertions(+) create mode 100644 authelia/oidc-cluster-admin.yaml diff --git a/authelia/README.md b/authelia/README.md index f9e9de3..a30021d 100644 --- a/authelia/README.md +++ b/authelia/README.md @@ -69,6 +69,51 @@ Note that the value of the `auth-url` contains the *internal* URL for Authelia, while the `auth-signin` value is the *external* URL. +## OpenID Connect for Kubernetes API + +The Kubernetes API server can be configured to authorize client requests using +[OpenID Connect][3]. The relevant settings are provided as command-line +arguments to the server process. For clusters managed by `kubeadm`, the +arguments can be added to the `ClusterConfiguration` setting in the +`kubeadm-config` ConfigMap: + +```yaml +ClusterConfiguration: | + apiServer: + extraArgs: + oidc-client-id: kubernetes + oidc-groups-claim: '["groups"]' + oidc-groups-prefix: 'oidc:' + oidc-issuer-url: https://auth.pyrocufflink.blue + oidc-username-claim: preferred_username + oidc-username-prefix: 'oidc:' +``` + +Clients need to be specifically configured to use OIDC. For `kubectl`, the +[kubelogin][4] plugin provides the necessary functionality. With the +`kubelogin` binary installed, and a symbolic link to it named +`kubectl-oidc_login` created, the client kubeconfig needs to specify an `exec` +option for obtaining the authorization token: + +```yaml +users: +- name: dustin + user: + exec: + apiVersion: client.authentication.k8s.io/v1beta1 + command: kubectl + args: + - oidc-login + - get-token + - --oidc-issuer-url=https://auth.pyrocufflink.blue + - --oidc-client-id=kubernetes + - --oidc-extra-scope=profile + - --oidc-extra-scope=groups + provideClusterInfo: false +``` + [0]: https://www.authelia.com/ [1]: https://www.authelia.com/configuration/prologue/introduction/ [2]: https://www.authelia.com/configuration/security/access-control/ +[3]: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens +[4]: https://github.com/int128/kubelogin/ diff --git a/authelia/configuration.yml b/authelia/configuration.yml index 9cc3041..b5662b5 100644 --- a/authelia/configuration.yml +++ b/authelia/configuration.yml @@ -29,6 +29,13 @@ identity_providers: - email - offline_access authorization_policy: one_factor + - id: kubernetes + description: Kubernetes + public: true + redirect_uris: + - http://localhost:8000 + - http://localhost:18000 + authorization_policy: one_factor log: level: trace diff --git a/authelia/kustomization.yaml b/authelia/kustomization.yaml index c8be310..62eba22 100644 --- a/authelia/kustomization.yaml +++ b/authelia/kustomization.yaml @@ -3,6 +3,7 @@ kind: Kustomization resources: - authelia.yaml +- oidc-cluster-admin.yaml configMapGenerator: - name: authelia diff --git a/authelia/oidc-cluster-admin.yaml b/authelia/oidc-cluster-admin.yaml new file mode 100644 index 0000000..429df89 --- /dev/null +++ b/authelia/oidc-cluster-admin.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: oidc-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: oidc:dustin