This deployment follows Dex by CoreOS & Kubernetes Documentations:
-
DNS entries: (Since this configuration uses NodePort, these can be CNAMEs to your kubernetes nodes)
- dex-k8s.example.org --> Dex OIDC provider
- login-k8s.example.org --> Custom Login Application
- dashboard-k8s.example.org --> Custom Login to kubernetes dashboard
-
Kubernetes cluster available with the following requirements:
- RBAC enabled
- OIDC authentication enabled. API server configuration:
-
--oidc-issuer-url=https://dex.k8s.example.com/dex: External Dex endpoint
-
--oidc-client-id=loginapp: ID for our Login Application
-
--oidc-ca-file=/etc/kubernetes/ssl/ca.pem: CA file of root certificate with intermediate servers if they exist. This file should be accessible from all kubernetes apiservers.
-
--oidc-username-claim=name: Map to nameAttr Dex configuration. This will be used by Kubernetes RBAC to authorize users based on their name.
-
--oidc-groups-claim=groups: This will be used by Kubernetes RBAC to authorize users based on their groups.
-
--oidc-username-prefix: Prefix prepended to username claims to prevent clashes with existing names (such as system: users). For example, the value oidc: will create usernames like oidc:jane.doe. If this flag isn’t provided and --oidc-user-claim is a value other than email the prefix defaults to ( Issuer URL )# where ( Issuer URL ) is the value of --oidc-issuer-url. The value - can be used to disable all prefixing.
-
--oidc-groups-prefix:Prefix prepended to group claims to prevent clashes with existing names (such as system: groups). For example, the value oidc: will create group names like oidc:engineering and oidc:infra
-
You can add OIDC settings to kube-apiserver.yaml.
-
-
An available LDAP server
- Create the auth namespace:
kubectl create ns auth- Create self-signed SSL certs and secrets (make sure to update alt_names to match your domain)
./gencert.sh
kubectl create secret tls login.tls --cert=ssl/cert.pem --key=ssl/key.pem -n auth
kubectl create secret tls dex.tls --cert=ssl/cert.pem --key=ssl/key.pem -n auth- Create resources:
We will use Kubernetes Custom Resource Definitions (https://kubernetes.io/docs/concepts/api-extension/custom-resources/) as Dex storage backend.
kubectl create -f dex-crd.yml- Create Dex resources:
# Dex configuration
kubectl create -f dex-cm.yml
# Dex service
kubectl create -f dex-ing-svc.yml
# Dex deployment
kubectl create -f dex-deploy.yml- Create a LoginApp resources:
# CA ( ca.pem generated by gencert.sh) configmap
kubectl create -f ca-cm.yml
# Login App configuration
kubectl create -f loginapp-cm.yml
# Login App service
kubectl create -f loginapp-ing-svc.yml
# Login App Deployment
kubectl create -f loginapp-deploy.ymlNow assuming that you setup the DNS, this should work: try https://login.k8s.example.org:32002, login and retrieve k8s configuration.
- Create RBAC resource (assgin a group called "admins" cluster admin role):
kubectl create -f rbac.ymlNow copy paste the returned ~/.kube/config from loginapp and try:
kubectl get po
NAME READY STATUS RESTARTS AGE
dex-6f6568d499-m89z6 1/1 Running 0 7m
loginapp-6474748f4b-gb5kb 1/1 Running 0 8m
loginapp-6474748f4b-prq25 1/1 Running 0 8m
loginapp-6474748f4b-vnvnb 1/1 Running 0 8mYou can also use id_token for signing on the k8s dashboard
kubectl -n=auth create -f keycloak-proxy-deploy.yaml
kubectl -n=auth create -f keycloak-proxy-svc.yaml kubectl -n=auth create -f kubernetes-dashboard-secure-SA.yaml
kubectl -n=auth create -f kubernetes-dashboard-secure-role.yaml
kubectl -n=auth create -f kubernetes-dashboard-secure-rolebinding.yaml
kubectl -n=auth create -f kubernetes-dashboard-secure-deploy.yaml
kubectl -n=auth create -f kubernetes-dashboard-secure-svc.yamlkubectl -n=auth create -f ingress-dashboard.yaml
kubectl -n=auth create -f ingress-rules.yaml