This deployment follows Dex by CoreOS & Kubernetes Documentations:
-
DNS entries:
- dex.k8s.example.com --> Dex OIDC provider
- login.k8s.example.com --> Custom Login Application
-
Kubernetes cluster available with the following requirements:
- RBAC enabled
- OIDC authentication enabled. API server configuration:
- --oidc-issuer-url=https://dex.k8s.example.com/dex: External Dex endpoint
- --oidc-client-id=loginapp: ID for our Login Application
- --oidc-ca-file=/etc/kubernetes/ssl/letsencrypt.pem: Letsencrypt CA file because we will use automatic certificate requests.
- --oidc-username-claim=name: Map to nameAttr Dex configuration. This will be used by Kubernetes RBAC to authorize users based on their name.
- oidc-groups-claim=groups: This will be used by Kubernetes RBAC to authorize users based on their groups.
- Ingress Controller available.
- Automatic certificate requests for Kubernetes (ex: https://github.com/jetstack/cert-manager)
-
An available LDAP server
Helm chart is available here.
- Create the auth namespace:
kubectl create ns auth
- Create resources:
# CA (letsencrypt) configmap
kubectl create -f ca-cm.yml
# Login App configuration
kubectl create -f loginapp-cm.yml
# Login App Ingress and SVC
kubectl create -f loginapp-ing-svc.yml
# Login App Deployment
kubectl create -f loginapp-deploy.yml
It should fail because Dex is not deployed.
We will use Kubernetes Custom Resource Definitions (https://kubernetes.io/docs/concepts/api-extension/custom-resources/) as Dex storage backend.
kubectl create -f dex-crd.yml
- Create Dex resources:
# Dex configuration
kubectl create -f dex-cm.yml
# Dex ingress and service
kubectl create -f dex-ing-svc.yml
# Dex deployment
kubectl create -f dex-deploy.yml
Now it should work: try https://login.k8s.example.org, login and retrieve k8s configuration.
kubectl --user=janedoe get po
Error from server (Forbidden): pods is forbidden: User "https://dex.k8s.example.org/dex#janedoe" cannot list pods in the namespace "auth"
User prefix can be updated with the --oidc-username-prefix apiserver option.
- Create RBAC resource:
kubectl create -f rbac-admins.yml
Try again:
kubectl --user=janedoe get po
NAME READY STATUS RESTARTS AGE
dex-6f6568d499-m89z6 1/1 Running 0 7m
loginapp-6474748f4b-gb5kb 1/1 Running 0 8m
loginapp-6474748f4b-prq25 1/1 Running 0 8m
loginapp-6474748f4b-vnvnb 1/1 Running 0 8m