Skip to content

Latest commit

 

History

History
50 lines (43 loc) · 3.02 KB

README.md

File metadata and controls

50 lines (43 loc) · 3.02 KB

Project to play with OIDC & SSO on kubernetes

A demo project to test how to configure a kubernetes cluster to authenticate the users accessing the platform using OIDC with a Keycloak OIDC provider.

The setup is not so complex, but it requires nevertheless to perform different steps such as:

  • Generate a ROOT Ca certificate and key. This is needed to configure properly the ApiServer and Keycloak too
  • Patch the kubeadmConfigPatches of kind config to specify the OIDC extra args:
    kind: ClusterConfiguration
      apiServer:
        extraArgs:
          oidc-client-id: kube
          oidc-issuer-url: https://$KEYCLOAK_HOSTNAME/realms/master
          oidc-username-claim: email
          oidc-groups-claim: groups
          oidc-ca-file: /etc/ca-certificates/keycloak/root-ca.pem
    
  • Mount the CA certificate generated as extraMounts parameter to the kind config
  • Create the kind cluster
  • Install the certificate manager to generate OOTB for the keycloak ingress host the secret (using the root CA) to access the TLS endpoint
  • Install keycloak with a Postgresql DB and expose it as an ingress host: https://keycloak.127.0.0.1.nip.io
  • Create a kube oidc client and set the client_id: kube and secret_id: kube-client-secret
  • Add some users: user-dev, user-admin and groups: kube-dev, kube-admin
  • Create on the cluster some clusterRoles: kube-admin, kube-dev having different RBAC: Cluster admin, edit, etc
  • Assign a user to a keycloak group (e.g user-dev -> group: kube-dev). Such a mapping will allow in fact with the id_token returned as JWT from keycloak to get the group to which a user authenticated belongs:
    # JWT Snippet from of the "user-admin" id_token
    "email": "[email protected]"
    "groups": [
      "kube-admin"
    ],
  • Set for each user the OIDC auth provider credentials using the command: kubectl config set-credentials user-dev --auth-provider=oidc ...
  • Select one of the user and try to create different resources: kubectl config use-context user-dev; kubectl create ns test

To play the scenario using kind + keycloak and configure them, execute the following script: ./scripts/kind-oidc-keycloak.sh

Some useful References

Kind OIDC + Keycloak