CODEWITHSUNDEEP
kubernetesopenid-connectminikube
NSP
NSP

Reputation: 1243

Testing OpenID authentication with kubernetes

I have installed kubernetes with minikube in ubuntu 16.04. I want to know how i can integrate openid-connect based authentication with it. I am new to kubernetes. So any suggestion on how to configure would help. I am currently accessing the dashboard with "minikube dashboard" command. But i dont seem to find any role specific login. The K8S guide has the below config section,

    kubectl config set-credentials USER_NAME \
   --auth-provider=oidc \
   --auth-provider-arg=idp-issuer-url=( issuer url ) \
   --auth-provider-arg=client-id=( your client id ) \
   --auth-provider-arg=client-secret=( your client secret ) \
   --auth-provider-arg=refresh-token=( your refresh token ) \
   --auth-provider-arg=idp-certificate-authority=( path to your ca certificate ) \
   --auth-provider-arg=id-token=( your id_token ) \
   --auth-provider-arg=extra-scopes=( comma separated list of scopes to add to "openid email profile", optional )

Can someone tell me how i can get values for

1. Issuer URL 2. Refresh token 3. Id-token 4. Extra-scope

I assume the client id and client secret are the ones we get when google credentials are created. Please correct me if I'm wrong.

Upvotes: 3

Views: 964

Answers (1)

TrinitronX
TrinitronX

Reputation: 5213

The Kubernetes Authentication docs try to explain the different "authn" plugins. One of these is "OpenID Connect", which requires that you start up an "Identity Provider".

So when you tell kubectl to use --auth-provider=oidc, that's what you're using. The idp-issuer-url will point at your Identity Provider's HTTPS URL. They give different examples of implementations of this. CoreOS has one called Dex.

Their repo has some examples under: ./examples

An example of using LDAP connector plugin for dex is here

For more information about how Authentication is done in Kubernetes (e.g.: "What is authn?" "What is authz", etc...), there is a great presentation by Eric Chiang here.

So to answer your question:

Q: how i can get values for:

  1. Issuer URL
  2. Refresh token
  3. Id-token
  4. Extra-scope

A: Set up Dex, then authenticate to it using the "Login" app (with some backend such as LDAP in example). Then it redirects you to a page with a ~/.kube/config file with a user which has all of these items.

Upvotes: 1

Related Questions