Merge pull request #1648 from int128/patch-1

Update kubelogin-activedirectory.md for credential plugin mode
This commit is contained in:
Nándor István Krácser 2020-02-12 16:15:20 +01:00 committed by GitHub
commit cf4f88a06e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -95,35 +95,39 @@ Then restart API server(s).
See https://kubernetes.io/docs/reference/access-authn-authz/authentication/ for more detail. See https://kubernetes.io/docs/reference/access-authn-authz/authentication/ for more detail.
### kubelogin ### Set up kubeconfig
Create context for dex authentication: Add a new user to the kubeconfig for dex authentication:
```console ```console
$ kubectl config set-context oidc-ctx --cluster=cluster.local --user=test $ kubectl config set-credentials oidc \
$ kubectl config set-credentials test \ --exec-api-version=client.authentication.k8s.io/v1beta1 \
--auth-provider=oidc \ --exec-command=kubectl \
--auth-provider-arg=idp-issuer-url=https://dex.example.com:32000/dex \ --exec-arg=oidc-login \
--auth-provider-arg=client-id=kubernetes \ --exec-arg=get-token \
--auth-provider-arg=client-secret=ZXhhbXBsZS1hcHAtc2VjcmV0 \ --exec-arg=--oidc-issuer-url=https://dex.example.com:32000/dex \
--auth-provider-arg=idp-certificate-authority-data=$(base64 -w 0 openid-ca.pem) \ --exec-arg=--oidc-client-id=kubernetes \
--auth-provider-arg=extra-scopes="offline_access openid profile email groups" --exec-arg=--oidc-client-secret=ZXhhbXBsZS1hcHAtc2VjcmV0 \
$ kubectl config use-context oidc-ctx --exec-arg=--extra-scope=profile \
--exec-arg=--extra-scope=email \
--exec-arg=--extra-scope=groups \
--exec-arg=--certificate-authority-data=$(base64 -w 0 openid-ca.pem)
``` ```
Please confirm idp-issuer-url, client-id, client-secret and idp-certificate-authority-data value is same as config-ad-kubelogin.yaml's value. Please confirm `--oidc-issuer-url`, `--oidc-client-id`, `--oidc-client-secret` and `--certificate-authority-data` are same as values in config-ad-kubelogin.yaml.
Then run kubelogin: Run the following command:
```console ```console
$ kubelogin $ kubectl --user=oidc cluster-info
``` ```
Access http://localhost:8000 by web browser and login with your AD account (eg. test@example.com) and password. It launches the browser and navigates it to http://localhost:8000.
After login and grant, you have following token in ~/.kube/config: Please log in with your AD account (eg. test@example.com) and password.
After login and grant, you can access the cluster.
``` You can switch the current context to dex authentication.
id-token: eyJhbGciOiJSUzICuU4dCcilDDWlw2lfr8mg...
refresh-token: ChlxY2EzeGhKEB4492EzecdKJOElECK...
```
```console
$ kubectl config set-context --current --user=oidc
```