Skip to content

Instantly share code, notes, and snippets.

@taking
Last active June 22, 2022 00:32
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save taking/efe12486d2d4c39b30e2a9d1abb600bf to your computer and use it in GitHub Desktop.

Kubernetes with OpenID Connect (OIDC)

Prerequisites

Role Setup

kubectl apply -f - <<EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: oidc-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: Group
  name: k8s-admins
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: oidc-cluster-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: restricted-user
subjects:
- kind: Group
  name: k8s-users
---
kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: restricted-user
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods", "services"]
  verbs: ["get", "watch", "list"]
EOF

kube-apiserver.yaml 수정

/etc/kubernetes/manifests/kube-apiserver.yaml

spec:
  containers:
  - command: |+
    - --oidc-issuer-url=http://192.168.160.235:32072/application/o/kubernetes/
    - --oidc-client-id=a76a5ab2fac40cab306a2660036ce505cf4768f4
    - --oidc-client-secret=48dffad1a8e484e13ab38b2eda5fdcfb3232f1cf4002c89f9cecd2770506724bc0f60bfaef8fd03257e987448fee7eac85d2d8cb01d27c3c53e625a4f2f2f96c
    - --oidc-username-claim=name
    - --oidc-groups-claim=groups
    - --skip-open-browser
    #- --oidc-extra-scope=email
    #- --oidc-extra-scope=profile
    #- --oidc-extra-scope=groups
    #- --oidc-extra-scope=openid
    #- --oidc-redirect-url-hostname=cluster.server.company.com
kubectl config set-credentials oidc-user \
--exec-api-version=client.authentication.k8s.io/v1beta1 \
--exec-command=kubectl \
--exec-arg=oidc-login \
--exec-arg=get-token \
--exec-arg=--oidc-issuer-url=http://192.168.160.235:32072/application/o/kubernetes/ \
--exec-arg=--oidc-client-id=a76a5ab2fac40cab306a2660036ce505cf4768f4 \
--exec-arg=--oidc-extra-scope="email offline_access profile openid"

kubectl get pods --user=oidc-user -n default
kubectl oidc-login setup \
  --oidc-issuer-url=http://192.168.160.235:32072/application/o/kubernetes/ \
  --oidc-client-id=a76a5ab2fac40cab306a2660036ce505cf4768f4 \
  --oidc-client-secret=48dffad1a8e484e13ab38b2eda5fdcfb3232f1cf4002c89f9cecd2770506724bc0f60bfaef8fd03257e987448fee7eac85d2d8cb01d27c3c53e625a4f2f2f96c \
  --listen-address 0.0.0.0:8000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment