forked from mystiq/dex
Update kubelogin-activedirectory.md for credential plugin
This commit is contained in:
parent
0014ca3465
commit
2ec5e5463f
1 changed files with 24 additions and 20 deletions
|
@ -95,35 +95,39 @@ Then restart API server(s).
|
|||
|
||||
See https://kubernetes.io/docs/reference/access-authn-authz/authentication/ for more detail.
|
||||
|
||||
### kubelogin
|
||||
### Set up kubeconfig
|
||||
|
||||
Create context for dex authentication:
|
||||
Add a new user to the kubeconfig for dex authentication:
|
||||
|
||||
```console
|
||||
$ kubectl config set-context oidc-ctx --cluster=cluster.local --user=test
|
||||
$ kubectl config set-credentials test \
|
||||
--auth-provider=oidc \
|
||||
--auth-provider-arg=idp-issuer-url=https://dex.example.com:32000/dex \
|
||||
--auth-provider-arg=client-id=kubernetes \
|
||||
--auth-provider-arg=client-secret=ZXhhbXBsZS1hcHAtc2VjcmV0 \
|
||||
--auth-provider-arg=idp-certificate-authority-data=$(base64 -w 0 openid-ca.pem) \
|
||||
--auth-provider-arg=extra-scopes="offline_access openid profile email groups"
|
||||
$ kubectl config use-context oidc-ctx
|
||||
$ kubectl config set-credentials oidc \
|
||||
--exec-api-version=client.authentication.k8s.io/v1beta1 \
|
||||
--exec-command=kubectl \
|
||||
--exec-arg=oidc-login \
|
||||
--exec-arg=get-token \
|
||||
--exec-arg=--oidc-issuer-url=https://dex.example.com:32000/dex \
|
||||
--exec-arg=--oidc-client-id=kubernetes \
|
||||
--exec-arg=--oidc-client-secret=ZXhhbXBsZS1hcHAtc2VjcmV0 \
|
||||
--exec-arg=--extra-scope=profile \
|
||||
--exec-arg=--extra-scope=email \
|
||||
--exec-arg=--extra-scope=groups \
|
||||
--exec-arg=--certificate-authority-data=$(base64 -w 0 openid-ca.pem)
|
||||
```
|
||||
|
||||
Please confirm idp-issuer-url, client-id, client-secret and idp-certificate-authority-data value is same as config-ad-kubelogin.yaml's value.
|
||||
Please confirm `--oidc-issuer-url`, `--oidc-client-id`, `--oidc-client-secret` and `--certificate-authority-data` are same as values in config-ad-kubelogin.yaml.
|
||||
|
||||
Then run kubelogin:
|
||||
Run the following command:
|
||||
|
||||
```console
|
||||
$ kubelogin
|
||||
$ kubectl --user=oidc cluster-info
|
||||
```
|
||||
|
||||
Access http://localhost:8000 by web browser and login with your AD account (eg. test@example.com) and password.
|
||||
After login and grant, you have following token in ~/.kube/config:
|
||||
It launches the browser and navigates it to http://localhost:8000.
|
||||
Please log in with your AD account (eg. test@example.com) and password.
|
||||
After login and grant, you can access the cluster.
|
||||
|
||||
```
|
||||
id-token: eyJhbGciOiJSUzICuU4dCcilDDWlw2lfr8mg...
|
||||
refresh-token: ChlxY2EzeGhKEB4492EzecdKJOElECK...
|
||||
```
|
||||
You can switch the current context to dex authentication.
|
||||
|
||||
```console
|
||||
$ kubectl config set-context --current --user=oidc
|
||||
```
|
||||
|
|
Loading…
Reference in a new issue