kubernetesopenid-connectkubernetes-apiserveropenid-dex

How do I update an on-premise Kubernetes API server to enable OIDC with Dex?


We have an on-premise kubernetes deployment in our data center. I just finished deploying the pods for Dex, configured hooked up with our LDAP server to allow LDAP based authentication via Dex, ran tests and was able to retrieve the OpenID connect token for authentication.

Now I would like to change our on-premise k8s API server startup parameters to enable OIDC and point it to the Dex container.

How do I enable OIDC to the API server startup command without downtime to our k8s cluster? Was reading this doc https://kubernetes.io/docs/reference/access-authn-authz/authentication/ but the site just says "Enable the required flags" without the steps

Thanks!


Solution

  • I installed Dex + Active Directory Integration few months ago on a cluster installed by kubeadmn .

    Let's assume that Dex is now running and it can be accessible thru https://dex.example.com .

    In this case,..

    Enabling ODIC at the level of API server has 3 steps :

    These steps have to be done on each of your Kubernetes master nodes.

    1- SSH to your master node.

    $ ssh root@master-ip
    

    2- Edit the Kubernetes API configuration.

    Add the OIDC parameters and modify the issuer URL accordingly.

    $ sudo vim /etc/kubernetes/manifests/kube-apiserver.yaml
    ...
        command:
        - /hyperkube
        - apiserver
        - --advertise-address=x.x.x.x
    ... 
    
        - --oidc-issuer-url=https://dex.example.com # <-- 🔴 Please focus here
        - --oidc-client-id=oidc-auth-client # <-- 🔴 Please focus here
        - --oidc-username-claim=email # <-- 🔴 Please focus here
        - --oidc-groups-claim=groups # <-- 🔴 Please focus here
    ...
    

    3- The Kubernetes API will restart by itself.

    I recommend also to check a full guide like this tuto.