Kubernetes, RBAC and OpenID Connect
I recently wanted to add role-based access control (RBAC) to my kubernetes cluster and delegate authentication to my Google Account via OpenID Connect. I haven't found a working solution on the net so I decided to blog about it!
What we'll use to set this up is Minikube for simplicity. I am using Minikube V0.30.0 and kubectl v1.12.1. The versions are important! Parameter names change. If you have a previous installation it's better to clean it and start from scratch:
- minikube delete --all --purge
- rm -rf ~/.minikube
I'd even delete your ~/.kube folder :)
The first thing you have to do is setup your Google client. There is a guide here (step 1 only) that will avoid me taking screenshots :) Once you are done you can download the client credentials as a .json file. Let's call it credentials.json as we'll use it later.
You are now ready to start up your kubernetes cluster! The command is (you need to replace the client-id with yours):
Note that the parameter names in the command can change. So if the command doesn't work and you're using different versions of minikube and kubectl, checkout the documentation
Once you kubernetes cluster has started you are halfway there! Now we need to setup kubectl to use your OIDC credentials. An easy way to set this up is to use the k8s-oidc-helper tool which we will use. If you are feeling brave you can set this up manually. Once you have downloaded the tool run:
k8s-oidc-helper -c ./credentials.json --write
against the file you downloaded when setting up the Google client. A browser will popup with an approval code that you will then copy paste for the tool to use. There, we have created our new user with name the email you have entered when creating the client. Let's call it foobar@mailinator.com. You can checkout your ~/.kube/config file to see what has changed.
We now need to create a new Cluster Role Binding for our user:
kubectl create clusterrolebinding cluster-admin-minikube --clusterrole=cluster-admin --user="foobar@mailinator.com"
Next we need to setup kubectl to use our new user. We first need to create a new context:
kubectl config set-context foobar --cluster minikube --user foobar@mailinator.com
We are now ready to use it:
kubectl config use-context foobar
We are done! We can now use kubectl and authenticate via Google! To see what's happening under the covers,we can set the verbosity level to 99 to get some logging
kubectl --v=99 get pods
Enjoy!
well! Thanks for providing a good stuff
ReplyDeleteDocker and Kubernetes Training
Docker Training
Docker Online Training
Kubernetes Online Training
ReplyDeleteThanks for sharing the information!
Docker and Kubernetes Training
Docker Training
Docker Online
Docker and Kubernetes Online Training
Your blog is in a convincing manner, thanks for sharing such an information with lots of your effort and time
ReplyDeleteKubernetes online training
Kubernetes online course
Your blog is in a beautiful manner, thanks for sharing such an information with many of your effort and time
ReplyDelete