forked from mystiq/dex
133 lines
3.6 KiB
Markdown
133 lines
3.6 KiB
Markdown
# Integration kubelogin and Active Directory
|
|
|
|
## Overview
|
|
|
|
kubelogin is helper tool for kubernetes and oidc integration.
|
|
It makes easy to login Open ID Provider.
|
|
This document describes how dex work with kubelogin and Active Directory.
|
|
|
|
examples/config-ad-kubelogin.yaml is sample configuration to integrate Active Directory and kubelogin.
|
|
|
|
## Precondition
|
|
|
|
1. Active Directory
|
|
You should have Active Directory or LDAP has Active Directory compatible schema such as samba ad.
|
|
You may have user objects and group objects in AD. Please ensure TLS is enabled.
|
|
|
|
2. Install kubelogin
|
|
Download kubelogin from https://github.com/int128/kubelogin/releases.
|
|
Install it to your terminal.
|
|
|
|
## Getting started
|
|
|
|
### Generate certificate and private key
|
|
|
|
Create OpenSSL conf req.conf as follow:
|
|
|
|
```
|
|
[req]
|
|
req_extensions = v3_req
|
|
distinguished_name = req_distinguished_name
|
|
|
|
[req_distinguished_name]
|
|
|
|
[ v3_req ]
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
DNS.1 = dex.example.com
|
|
```
|
|
|
|
Please replace dex.example.com to your favorite hostname.
|
|
Generate certificate and private key by following command.
|
|
|
|
```console
|
|
$ openssl req -new -x509 -sha256 -days 3650 -newkey rsa:4096 -extensions v3_req -out openid-ca.pem -keyout openid-key.pem -config req.cnf -subj "/CN=kube-ca" -nodes
|
|
$ ls openid*
|
|
openid-ca.pem openid-key.pem
|
|
```
|
|
|
|
### Modify dex config
|
|
|
|
Modify following host, bindDN and bindPW in examples/config-ad-kubelogin.yaml.
|
|
|
|
```yaml
|
|
connectors:
|
|
- type: ldap
|
|
name: OpenLDAP
|
|
id: ldap
|
|
config:
|
|
host: ldap.example.com:636
|
|
|
|
# No TLS for this setup.
|
|
insecureNoSSL: false
|
|
insecureSkipVerify: true
|
|
|
|
# This would normally be a read-only user.
|
|
bindDN: cn=Administrator,cn=users,dc=example,dc=com
|
|
bindPW: admin0!
|
|
```
|
|
|
|
### Run dex
|
|
|
|
```
|
|
$ bin/dex serve examples/config-ad-kubelogin.yaml
|
|
```
|
|
|
|
### Configure kubernetes with oidc
|
|
|
|
Copy openid-ca.pem to /etc/ssl/certs/openid-ca.pem on master node.
|
|
|
|
Use the following flags to point your API server(s) at dex. `dex.example.com` should be replaced by whatever DNS name or IP address dex is running under.
|
|
|
|
```
|
|
--oidc-issuer-url=https://dex.example.com:32000/dex
|
|
--oidc-client-id=kubernetes
|
|
--oidc-ca-file=/etc/ssl/certs/openid-ca.pem
|
|
--oidc-username-claim=email
|
|
--oidc-groups-claim=groups
|
|
```
|
|
|
|
Then restart API server(s).
|
|
|
|
|
|
See https://kubernetes.io/docs/reference/access-authn-authz/authentication/ for more detail.
|
|
|
|
### Set up kubeconfig
|
|
|
|
Add a new user to the kubeconfig for dex authentication:
|
|
|
|
```console
|
|
$ kubectl config set-credentials oidc \
|
|
--exec-api-version=client.authentication.k8s.io/v1beta1 \
|
|
--exec-command=kubectl \
|
|
--exec-arg=oidc-login \
|
|
--exec-arg=get-token \
|
|
--exec-arg=--oidc-issuer-url=https://dex.example.com:32000/dex \
|
|
--exec-arg=--oidc-client-id=kubernetes \
|
|
--exec-arg=--oidc-client-secret=ZXhhbXBsZS1hcHAtc2VjcmV0 \
|
|
--exec-arg=--extra-scope=profile \
|
|
--exec-arg=--extra-scope=email \
|
|
--exec-arg=--extra-scope=groups \
|
|
--exec-arg=--certificate-authority-data=$(base64 -w 0 openid-ca.pem)
|
|
```
|
|
|
|
Please confirm `--oidc-issuer-url`, `--oidc-client-id`, `--oidc-client-secret` and `--certificate-authority-data` are same as values in config-ad-kubelogin.yaml.
|
|
|
|
Run the following command:
|
|
|
|
```console
|
|
$ kubectl --user=oidc cluster-info
|
|
```
|
|
|
|
It launches the browser and navigates it to http://localhost:8000.
|
|
Please log in with your AD account (eg. test@example.com) and password.
|
|
After login and grant, you can access the cluster.
|
|
|
|
You can switch the current context to dex authentication.
|
|
|
|
```console
|
|
$ kubectl config set-context --current --user=oidc
|
|
```
|