This post describes how to configure a kubernetes cluster to authenticate users via OpenID Connect. As well as configuring the kubectl client.
We’ll be using microk8s as the kubernetes distribution and Google as the OIDC provider.
Configuring OIDC Provider (Google)
Before we can configure kubernetes to authenticate against an OIDC provider, we need to configure one and get the following pieces of information:
- Issuer URL
- Client ID
- Client Secret
To do this in Google, take the following steps:
- Go to to Google API Console
- From the project dropdown, select the project you want to use or create a new one
- Search for “APIs and Services”
- If this is the first Oauth credentials you’re creating under this project, slect OAuth consent screen, select internal fill in the App Information
- Select Credentials -> Create Credentials -> OAuth Client ID
- Select Application Type: Desktop App and give it a suitable name
- Record the Client ID and Client Secret
Configuring Kube API (Microk8s)
On every master node perform the following:
Edit /var/snap/microk8s/current/args/kube-apiserver and add:
| |
Restart the node using:
| |
Configuring kubectl and kubelogin
We’ll use kubelogin.
Under the users section of ~/.kubectl/config add the following
| |
We need to add --oidc-extra-scope=email as we’re using that as the claim name in the previous step.
The name can be anything, it’s just a reference to the user used in the context section.
Using
Now you can use standard RBAC objects to create permissions for your users.
If everything works as expected, you should be able to call a kubectl command and it should launch a web browser and as you to authenticate. After a successful authentication, the commmand should run.
| |