authelia: Set up OIDC for k8s API server

Enabling OpenID Connect authentication for the Kubernetes API server
will allow clients, particularly `kubectl` to log in without needing
TLS certificates and private keys.

authelia/README.md

@@ -69,6 +69,51 @@ Note that the value of the `auth-url` contains the *internal* URL for Authelia,
 while the `auth-signin` value is the *external* URL.
 
 
+## OpenID Connect for Kubernetes API
+
+The Kubernetes API server can be configured to authorize client requests using
+[OpenID Connect][3].  The relevant settings are provided as command-line
+arguments to the server process.  For clusters managed by `kubeadm`, the
+arguments can be added to the `ClusterConfiguration` setting in the
+`kubeadm-config` ConfigMap:
+
+```yaml
+ClusterConfiguration: |
+  apiServer:
+    extraArgs:
+      oidc-client-id: kubernetes
+      oidc-groups-claim: '["groups"]'
+      oidc-groups-prefix: 'oidc:'
+      oidc-issuer-url: https://auth.pyrocufflink.blue
+      oidc-username-claim: preferred_username
+      oidc-username-prefix: 'oidc:'
+```
+
+Clients need to be specifically configured to use OIDC.  For `kubectl`, the
+[kubelogin][4] plugin provides the necessary functionality.  With the
+`kubelogin` binary installed, and a symbolic link to it named
+`kubectl-oidc_login` created, the client kubeconfig needs to specify an `exec`
+option for obtaining the authorization token:
+
+```yaml
+users:
+- name: dustin
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: kubectl
+      args:
+      - oidc-login
+      - get-token
+      - --oidc-issuer-url=https://auth.pyrocufflink.blue
+      - --oidc-client-id=kubernetes
+      - --oidc-extra-scope=profile
+      - --oidc-extra-scope=groups
+      provideClusterInfo: false
+```
+
 [0]: https://www.authelia.com/
 [1]: https://www.authelia.com/configuration/prologue/introduction/
 [2]: https://www.authelia.com/configuration/security/access-control/
+[3]: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
+[4]: https://github.com/int128/kubelogin/

authelia/configuration.yml

@@ -29,6 +29,13 @@ identity_providers:
       - email
       - offline_access
       authorization_policy: one_factor
+    - id: kubernetes
+      description: Kubernetes
+      public: true
+      redirect_uris:
+      - http://localhost:8000
+      - http://localhost:18000
+      authorization_policy: one_factor
 
 log:
   level: trace

authelia/kustomization.yaml

@@ -3,6 +3,7 @@ kind: Kustomization
 
 resources:
 - authelia.yaml
+- oidc-cluster-admin.yaml
 
 configMapGenerator:
 - name: authelia

authelia/oidc-cluster-admin.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: oidc-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: oidc:dustin