/k8s-ldap

Kubernetes - LDAP authentication with Dex

Primary LanguageShell

Kubernetes - LDAP authentication with Dex

Docs

This deployment follows Dex by CoreOS & Kubernetes Documentations:

Requirements

  • DNS entries: (Since this configuration uses NodePort, these can be CNAMEs to your kubernetes nodes)

    • dex.k8s.example.org --> Dex OIDC provider
    • login.k8s.example.org --> Custom Login Application

  • Kubernetes cluster available with the following requirements:

    • RBAC enabled
    • OIDC authentication enabled. API server configuration:
      • --oidc-issuer-url=https://dex.k8s.example.com/dex: External Dex endpoint
      • --oidc-client-id=loginapp: ID for our Login Application
      • --oidc-ca-file=/etc/kubernetes/ssl/ca.pem: CA file generated using gencert.sh below
      • --oidc-username-claim=name: Map to nameAttr Dex configuration. This will be used by Kubernetes RBAC to authorize users based on their name.
      • oidc-groups-claim=groups: This will be used by Kubernetes RBAC to authorize users based on their groups.

  • An available LDAP server

Login application

  • Create the auth namespace:
kubectl create ns auth
  • Create required SSL certs and secrets (make sure to update alt_names to match your domain)
./gencert.sh
kubectl create secret tls login.k8s.example.org.tls --cert=ssl/cert.pem --key=ssl/key.pem -n auth
kubectl create secret tls dex.k8s-dev.truecaller.net.tls --cert=ssl/cert.pem --key=ssl/key.pem -n auth
  • Create resources:
# CA ( ca.pem generated by gencert.sh) configmap
kubectl create -f ca-cm.yml
# Login App configuration
kubectl create -f loginapp-cm.yml
# Login App service
kubectl create -f loginapp-ing-svc.yml
# Login App Deployment
kubectl create -f loginapp-deploy.yml

It should fail because Dex is not deployed.

Dex

CRD

We will use Kubernetes Custom Resource Definitions (https://kubernetes.io/docs/concepts/api-extension/custom-resources/) as Dex storage backend.

kubectl create -f dex-crd.yml

Deployment

  • Create Dex resources:
# Dex configuration
kubectl create -f dex-cm.yml
# Dex service
kubectl create -f dex-ing-svc.yml
# Dex deployment
kubectl create -f dex-deploy.yml

Now assuming that you setup the DNS, this should work: try https://login.k8s.example.org:32002, login and retrieve k8s configuration.

You can decode the id_token to verify the returned claims using: https://jwt.io/

  • Create RBAC resource (assgin a group called "admins" cluster admin role):
kubectl create -f rbac.yml

Now copy paste the returned ~/.kube/config from loginapp and try:

kubectl get po
NAME                        READY     STATUS    RESTARTS   AGE
dex-6f6568d499-m89z6        1/1       Running   0          7m
loginapp-6474748f4b-gb5kb   1/1       Running   0          8m
loginapp-6474748f4b-prq25   1/1       Running   0          8m
loginapp-6474748f4b-vnvnb   1/1       Running   0          8m

You can also use id_token for signing on the k8s dashboard

Keycloak Proxy

You can as well use Keycloak proxy instead of loginapp to sign in directly onto dex app and pass auth headers directly to k8s dashboard. However, if you need kubectl configs for CLI, you still need loginapp. Anyway, I've included deployment and service configs for keycloak proxy here.