.. | ||
.gitignore | ||
client.yaml | ||
config-k8s.yaml | ||
deployment.yaml | ||
dex-ingress.yaml | ||
gencert.sh | ||
nginx-ingress.yaml | ||
README.md |
Running dex as the Kubernetes authenticator
Running dex as the Kubernetes authenticator requires.
- dex is running on HTTPS.
- Your browser can navigate to dex at the same address Kubernetes refers to it as.
To accomplish this locally, these scripts assume you're using the single host vagrant setup provided by the coreos-kubernetes repo with a couple of changes (a complete diff is provided at the bottom of this document). Namely that:
- The API server isn't running on host port 443.
- The virtual machine has a populated
/etc/hosts
The following entry must be added to your host's /etc/hosts
file as well as
the VM.
172.17.4.99 dex.example.com
In the future this document will provide instructions for a more general Kubernetes installation.
Once you have Kubernetes configured, set up the ThirdPartyResources and a ConfigMap for dex to use. These run dex as a deployment with configuration and storage, allowing it to get started.
kubectl create configmap dex-config --from-file=config.yaml=config-k8s.yaml
kubectl create -f deployment.yaml
To get dex running at an HTTPS endpoint, create an ingress controller, some self-signed TLS assets and an ingress rule for dex. These TLS assest should normally be provided by an actual CA (public or internal).
kubectl create -f https://raw.githubusercontent.com/kubernetes/contrib/master/ingress/controllers/nginx/rc.yaml
./gencert.sh
kubectl create secret tls dex.example.com.tls --cert=ssl/cert.pem --key=ssl/key.pem
kubectl create -f dex-ingress.yaml
To test that the everything has been installed correctly. Configure a client
with some credentials, and run the example-app
(run make
at the top level
of this repo if you haven't already). The second command will error out if your
example-app can't find dex.
kubectl create -f client.yaml
../../bin/example-app --issuer https://dex.example.com --issuer-root-ca ssl/ca.pem
Navigate to 127.0.0.1:5555
and try to login. You should be redirected to
dex.example.com
with lots of TLS errors. Proceed around them, authorize the
example-app
's OAuth2 client and you should be redirected back to the
example-app
with valid OpenID Connect credentials.
Finally, to configure Kubernetes to use dex as its authenticator, copy
ssl/ca.pem
to /etc/kubernetes/ssl/openid-ca.pem
onto the VM and update the
API server's manifest at /etc/kubernetes/manifests/kube-apiserver.yaml
to add
the following flags.
--oidc-issuer-url=https://dex.example.com
--oidc-client-id=example-app
--oidc-ca-file=/etc/kubernetes/ssl/openid-ca.pem
--oidc-username-claim=email
--oidc-groups-claim=groups
Kick the API server by killing its Docker container, and when it comes up again
it should be using dex. Login again through the example-app
and you should be
able to use the provided token as a bearer token to hit the Kubernetes API.
Changes to coreos-kubernetes
The following is a diff to the coreos-kubernetes repo that accomplishes the required changes.
diff --git a/single-node/user-data b/single-node/user-data
index f419f09..ed42055 100644
--- a/single-node/user-data
+++ b/single-node/user-data
@@ -80,6 +80,15 @@ function init_flannel {
}
function init_templates {
+ local TEMPLATE=/etc/hosts
+ if [ ! -f $TEMPLATE ]; then
+ echo "TEMPLATE: $TEMPLATE"
+ mkdir -p $(dirname $TEMPLATE)
+ cat << EOF > $TEMPLATE
+172.17.4.99 dex.example.com
+EOF
+ fi
+
local TEMPLATE=/etc/systemd/system/kubelet.service
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
@@ -195,7 +204,7 @@ spec:
- --etcd-servers=${ETCD_ENDPOINTS}
- --allow-privileged=true
- --service-cluster-ip-range=${SERVICE_IP_RANGE}
- - --secure-port=443
+ - --secure-port=8443
- --advertise-address=${ADVERTISE_IP}
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
- --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
@@ -211,8 +220,8 @@ spec:
initialDelaySeconds: 15
timeoutSeconds: 15
ports:
- - containerPort: 443
- hostPort: 443
+ - containerPort: 8443
+ hostPort: 8443
name: https
- containerPort: 8080
hostPort: 8080