forked from mystiq/dex
Merge pull request #1648 from int128/patch-1
Update kubelogin-activedirectory.md for credential plugin mode
This commit is contained in:
commit
cf4f88a06e
1 changed files with 24 additions and 20 deletions
|
@ -95,35 +95,39 @@ Then restart API server(s).
|
||||||
|
|
||||||
See https://kubernetes.io/docs/reference/access-authn-authz/authentication/ for more detail.
|
See https://kubernetes.io/docs/reference/access-authn-authz/authentication/ for more detail.
|
||||||
|
|
||||||
### kubelogin
|
### Set up kubeconfig
|
||||||
|
|
||||||
Create context for dex authentication:
|
Add a new user to the kubeconfig for dex authentication:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ kubectl config set-context oidc-ctx --cluster=cluster.local --user=test
|
$ kubectl config set-credentials oidc \
|
||||||
$ kubectl config set-credentials test \
|
--exec-api-version=client.authentication.k8s.io/v1beta1 \
|
||||||
--auth-provider=oidc \
|
--exec-command=kubectl \
|
||||||
--auth-provider-arg=idp-issuer-url=https://dex.example.com:32000/dex \
|
--exec-arg=oidc-login \
|
||||||
--auth-provider-arg=client-id=kubernetes \
|
--exec-arg=get-token \
|
||||||
--auth-provider-arg=client-secret=ZXhhbXBsZS1hcHAtc2VjcmV0 \
|
--exec-arg=--oidc-issuer-url=https://dex.example.com:32000/dex \
|
||||||
--auth-provider-arg=idp-certificate-authority-data=$(base64 -w 0 openid-ca.pem) \
|
--exec-arg=--oidc-client-id=kubernetes \
|
||||||
--auth-provider-arg=extra-scopes="offline_access openid profile email groups"
|
--exec-arg=--oidc-client-secret=ZXhhbXBsZS1hcHAtc2VjcmV0 \
|
||||||
$ kubectl config use-context oidc-ctx
|
--exec-arg=--extra-scope=profile \
|
||||||
|
--exec-arg=--extra-scope=email \
|
||||||
|
--exec-arg=--extra-scope=groups \
|
||||||
|
--exec-arg=--certificate-authority-data=$(base64 -w 0 openid-ca.pem)
|
||||||
```
|
```
|
||||||
|
|
||||||
Please confirm idp-issuer-url, client-id, client-secret and idp-certificate-authority-data value is same as config-ad-kubelogin.yaml's value.
|
Please confirm `--oidc-issuer-url`, `--oidc-client-id`, `--oidc-client-secret` and `--certificate-authority-data` are same as values in config-ad-kubelogin.yaml.
|
||||||
|
|
||||||
Then run kubelogin:
|
Run the following command:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ kubelogin
|
$ kubectl --user=oidc cluster-info
|
||||||
```
|
```
|
||||||
|
|
||||||
Access http://localhost:8000 by web browser and login with your AD account (eg. test@example.com) and password.
|
It launches the browser and navigates it to http://localhost:8000.
|
||||||
After login and grant, you have following token in ~/.kube/config:
|
Please log in with your AD account (eg. test@example.com) and password.
|
||||||
|
After login and grant, you can access the cluster.
|
||||||
|
|
||||||
```
|
You can switch the current context to dex authentication.
|
||||||
id-token: eyJhbGciOiJSUzICuU4dCcilDDWlw2lfr8mg...
|
|
||||||
refresh-token: ChlxY2EzeGhKEB4492EzecdKJOElECK...
|
|
||||||
```
|
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ kubectl config set-context --current --user=oidc
|
||||||
|
```
|
||||||
|
|
Loading…
Reference in a new issue