infra/kubernetes
1
0
Fork 0
Code Pull Requests 3 Activity

authelia: Set up OIDC for k8s API server

Browse Source 
Enabling OpenID Connect authentication for the Kubernetes API server
will allow clients, particularly `kubectl` to log in without needing
TLS certificates and private keys.
This commit is contained in:
Dustin
2023-04-21 19:41:43 -05:00
parent bcb54d4010
commit 24465dc7da
4 changed files with 65 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
authelia/README.md
View File

@@ -69,6 +69,51 @@ Note that the value of the `auth-url` contains the *internal* URL for Authelia,
while the `auth-signin` value is the *external* URL.
## OpenID Connect for Kubernetes API
The Kubernetes API server can be configured to authorize client requests using
[OpenID Connect][3]. The relevant settings are provided as command-line
arguments to the server process. For clusters managed by `kubeadm`, the
arguments can be added to the `ClusterConfiguration` setting in the
`kubeadm-config` ConfigMap:
```yaml
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-client-id: kubernetes
oidc-groups-claim: '["groups"]'
oidc-groups-prefix: 'oidc:'
oidc-issuer-url: https://auth.pyrocufflink.blue
oidc-username-claim: preferred_username
oidc-username-prefix: 'oidc:'
```
Clients need to be specifically configured to use OIDC. For `kubectl`, the
[kubelogin][4] plugin provides the necessary functionality. With the
`kubelogin` binary installed, and a symbolic link to it named
`kubectl-oidc_login` created, the client kubeconfig needs to specify an `exec`
option for obtaining the authorization token:
```yaml
users:
- name: dustin
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
command: kubectl
args:
- oidc-login
- get-token
- --oidc-issuer-url=https://auth.pyrocufflink.blue
- --oidc-client-id=kubernetes
- --oidc-extra-scope=profile
- --oidc-extra-scope=groups
provideClusterInfo: false
```
[0]: https://www.authelia.com/
[1]: https://www.authelia.com/configuration/prologue/introduction/
[2]: https://www.authelia.com/configuration/security/access-control/
[3]: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
[4]: https://github.com/int128/kubelogin/