- krew (https://krew.sigs.k8s.io/docs/user-guide/setup/install/)
- oidc-login (
kubectl krew install oidc-login
) - authentik (https://gist.github.com/taking/adbca4931222eb3b0f8c6e8d3495e2c0)
kubectl apply -f - <<EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: oidc-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: Group
name: k8s-admins
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: oidc-cluster-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: restricted-user
subjects:
- kind: Group
name: k8s-users
---
kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: restricted-user
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", "services"]
verbs: ["get", "watch", "list"]
EOF
/etc/kubernetes/manifests/kube-apiserver.yaml
spec:
containers:
- command: |+
- --oidc-issuer-url=http://192.168.160.235:32072/application/o/kubernetes/
- --oidc-client-id=a76a5ab2fac40cab306a2660036ce505cf4768f4
- --oidc-client-secret=48dffad1a8e484e13ab38b2eda5fdcfb3232f1cf4002c89f9cecd2770506724bc0f60bfaef8fd03257e987448fee7eac85d2d8cb01d27c3c53e625a4f2f2f96c
- --oidc-username-claim=name
- --oidc-groups-claim=groups
- --skip-open-browser
#- --oidc-extra-scope=email
#- --oidc-extra-scope=profile
#- --oidc-extra-scope=groups
#- --oidc-extra-scope=openid
#- --oidc-redirect-url-hostname=cluster.server.company.com
kubectl config set-credentials oidc-user \
--exec-api-version=client.authentication.k8s.io/v1beta1 \
--exec-command=kubectl \
--exec-arg=oidc-login \
--exec-arg=get-token \
--exec-arg=--oidc-issuer-url=http://192.168.160.235:32072/application/o/kubernetes/ \
--exec-arg=--oidc-client-id=a76a5ab2fac40cab306a2660036ce505cf4768f4 \
--exec-arg=--oidc-extra-scope="email offline_access profile openid"
kubectl get pods --user=oidc-user -n default
kubectl oidc-login setup \
--oidc-issuer-url=http://192.168.160.235:32072/application/o/kubernetes/ \
--oidc-client-id=a76a5ab2fac40cab306a2660036ce505cf4768f4 \
--oidc-client-secret=48dffad1a8e484e13ab38b2eda5fdcfb3232f1cf4002c89f9cecd2770506724bc0f60bfaef8fd03257e987448fee7eac85d2d8cb01d27c3c53e625a4f2f2f96c \
--listen-address 0.0.0.0:8000