kops cluster config
kubeAPIServer:
authorizationMode: RBAC
authorizationRbacSuperUser: admin
oidcCAFile: /srv/kubernetes/ca.crt
oidcClientID: example
oidcGroupsClaim: groups
oidcIssuerURL: https://dex.example.com
oidcUsernameClaim: email
runtimeConfig:
rbac.authorization.k8s.io/v1alpha1: "true"export BUCKET=example.com
mkdir -p ssl
# Load the CA from the KOPS bucket:
ca_cert_path=`aws s3 --region ${AWS_DEFAULT_REGION} ls --recursive ${BUCKET}/${CLUSTER_NAME}/pki/issued/ca/|awk '{ print $4 }'`
ca_key_path=`aws s3 --region ${AWS_DEFAULT_REGION} ls --recursive ${BUCKET}/${CLUSTER_NAME}/pki/private/ca/|awk '{ print $4 }'`
aws s3 cp s3://${BUCKET}/$ca_cert_path ssl/ca.pem
aws s3 cp s3://${BUCKET}/$ca_key_path ssl/ca-key.pem
cat << EOF > ssl/req.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = dex.example.com
EOF
openssl genrsa -out ssl/key.pem 2048
openssl req -new -key ssl/key.pem -out ssl/csr.pem -subj "/CN=dex.example.com" -config ssl/req.cnf
openssl x509 -req -in ssl/csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/cert.pem -days 1024 -extensions v3_req -extfile ssl/req.cnf
kubectl create secret tls dex.example.com.tls \
--cert=apps/dex/ssl/cert.pem \
—key=apps/dex/ssl/key.pem
#edit the yaml from the below manifest
kubectl create - https://raw.githubusercontent.com/coreos/dex/master/examples/k8s/dex.yaml
# you need https://github.com/coreos/dex/tree/master/cmd/example-app to get your token from dex
# also once thats done, you still need to give all your components the correct clusterbindings
# https://github.com/kubernetes/kubernetes/tree/master/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata
# but for the rolebindings, the issue is that most of those service accounts dont exist