stackoom
  简体   繁体   中英

Testing OpenID authentication with kubernetes

 原文  2017-07-24 10:14:35       kubernetes/ openid-connect/ minikube

Question

I have installed kubernetes with minikube in ubuntu 16.04. I want to know how i can integrate openid-connect based authentication with it. I am new to kubernetes. So any suggestion on how to configure would help. I am currently accessing the dashboard with "minikube dashboard" command. But i dont seem to find any role specific login. The K8S guide has the below config section, 

    kubectl config set-credentials USER_NAME \
   --auth-provider=oidc \
   --auth-provider-arg=idp-issuer-url=( issuer url ) \
   --auth-provider-arg=client-id=( your client id ) \
   --auth-provider-arg=client-secret=( your client secret ) \
   --auth-provider-arg=refresh-token=( your refresh token ) \
   --auth-provider-arg=idp-certificate-authority=( path to your ca certificate ) \
   --auth-provider-arg=id-token=( your id_token ) \
   --auth-provider-arg=extra-scopes=( comma separated list of scopes to add to "openid email profile", optional )

Can someone tell me how i can get values for

1. Issuer URL 2. Refresh token 3. Id-token 4. Extra-scope

I assume the client id and client secret are the ones we get when google credentials are created. Please correct me if I'm wrong.

1 answers

solution1
 0  2018-02-06 01:26:11

The Kubernetes Authentication docs try to explain the different " authn " plugins. One of these is "OpenID Connect", which requires that you start up an "Identity Provider".

So when you tell kubectl to use --auth-provider=oidc , that's what you're using. The idp-issuer-url will point at your Identity Provider's HTTPS URL. They give different examples of implementations of this. CoreOS has one called Dex .

Their repo has some examples under: ./examples

An example of using LDAP connector plugin for dex is here

For more information about how Authentication is done in Kubernetes (eg: "What is authn?" "What is authz", etc...), there is a great presentation by Eric Chiang here .

So to answer your question:

Q: how i can get values for:

  1. Issuer URL
  2. Refresh token
  3. Id-token
  4. Extra-scope

A: Set up Dex , then authenticate to it using the "Login" app (with some backend such as LDAP in example). Then it redirects you to a page with a ~/.kube/config file with a user which has all of these items.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Configure kubernetes cluster to use OpenID Connect Authentication Logs when Kubernetes OpenID Connect authentication fails How to configure openid-connect with kubernetes Kubernetes + locust (load testing) Kubernetes loadbalancing / Performance testing kubernetes integration testing Jenkins on Kubernetes Load Testing kubernetes-dashboard - authentication kubernetes “unauthorized: authentication required” Kubernetes Authentication issue
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM