GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → ObjectifLibre → k8s-ldap

ObjectifLibre / k8s-ldap

Licence: Apache-2.0 license
Kubernetes - LDAP authentication with Dex

Labels

kubernetesldapcoreosk8sdexmanifests

Projects that are alternatives of or similar to k8s-ldap

libvirt-ocp4-provisioner
Automate your OCP4 installation
Stars: ✭ 82 (+38.98%)
Mutual labels:  coreos, k8s
osprey
Kubernetes OIDC CLI login
Stars: ✭ 49 (-16.95%)
Mutual labels:  ldap, dex
centos-script
🎉centos下工具安装脚本,包含基础环境配置,Gitlab、Docker、LDAP、MongoDB、MySQL、RabbitMQ、Supervisor、Node、Python、zsh、rar、zabbix、k8s、prometheus、grafana等🎉
Stars: ✭ 121 (+105.08%)
Mutual labels:  ldap, k8s
kahoy
Simple Kubernetes raw manifests deployment tool
Stars: ✭ 33 (-44.07%)
Mutual labels:  k8s, manifests
kube-exec-controller
An admission controller service and kubectl plugin to handle container drift in K8s clusters
Stars: ✭ 70 (+18.64%)
Mutual labels:  k8s
paas-templates
Bosh, CFAR, CFCR and OSB services templates for use with COA (cf-ops-automation) framework
Stars: ✭ 16 (-72.88%)
Mutual labels:  k8s
jitana
A graph-based static-dynamic hybrid DEX code analysis tool
Stars: ✭ 35 (-40.68%)
Mutual labels:  dex
kube-install
一鍵安裝部署高可用的多kubernetes集羣(二進位離線方式),支持定時安裝、添加與銷毀node、銷毀與修復master、一鍵卸載集羣等。One click offline installation of highly available multiple kubernetes cluster, supports schedule installation, addition of nodes, rebuild of kubernetes master, and uninstallation of clusters.
Stars: ✭ 336 (+469.49%)
Mutual labels:  k8s
cdk-py-k8s-the-real-hard-way-aws
Python CDK code for "Kubernetes The (real) Hard Way (AWS)"
Stars: ✭ 14 (-76.27%)
Mutual labels:  k8s
boot2podman
Lightweight Linux for Podman
Stars: ✭ 86 (+45.76%)
Mutual labels:  k8s
uniswap-arbitrage-flash-swap
Uniswap flash swap arbitrage solidity contracts
Stars: ✭ 341 (+477.97%)
Mutual labels:  dex
eks-deep-dive-2019
Amazon EKS Deep Dive 2019
Stars: ✭ 61 (+3.39%)
Mutual labels:  k8s
Lecture k8s starter.kit
'쉽게 시작하는 쿠버네티스' 온라인 강의
Stars: ✭ 58 (-1.69%)
Mutual labels:  k8s
docker-alpine-sshd
A lightweight OpenSSH Docker Image built atop Alpine Linux.
Stars: ✭ 108 (+83.05%)
Mutual labels:  k8s
k0otkit
k0otkit is a universal post-penetration technique which could be used in penetrations against Kubernetes clusters.
Stars: ✭ 217 (+267.8%)
Mutual labels:  k8s
k8s-metadata-injection
Kubernetes metadata injection for New Relic APM to make a linkage between APM and Infrastructure data.
Stars: ✭ 19 (-67.8%)
Mutual labels:  k8s
ldap
A Ldap client for PHP on top of PHP's ldap extension.
Stars: ✭ 118 (+100%)
Mutual labels:  ldap
atomic-swap-kit-android
Atomic Swap Android library for Bitcoin (BTC) and Bitcoin Cash (BCH) swaps in decentralized manner. Implemented on Kotlin.
Stars: ✭ 17 (-71.19%)
Mutual labels:  dex
github-task-manager
receive github hook, notify agent, receive task results, notify github
Stars: ✭ 13 (-77.97%)
Mutual labels:  k8s
micro-service-practice
OpenStack+Docker+RestAPI+OAuth/HMAC+RabbitMQ/ZMQ+OpenResty/HAProxy/Nginx/APIGateway+Bootstrap/AngularJS+Ansible+K8S/Mesos/Marathon构建/探索微服务最佳实践。
Stars: ✭ 25 (-57.63%)
Mutual labels:  k8s
View All Similar Projects ➔

Kubernetes - LDAP authentication with Dex

Docs

This deployment follows Dex by CoreOS & Kubernetes Documentations:

Requirements

  • DNS entries:

    • dex.k8s.example.com --> Dex OIDC provider
    • login.k8s.example.com --> Custom Login Application

  • Kubernetes cluster available with the following requirements:

    • RBAC enabled
    • OIDC authentication enabled. API server configuration:
      • --oidc-issuer-url=https://dex.k8s.example.com/dex: External Dex endpoint
      • --oidc-client-id=loginapp: ID for our Login Application
      • --oidc-ca-file=/etc/kubernetes/ssl/letsencrypt.pem: Letsencrypt CA file because we will use automatic certificate requests.
      • --oidc-username-claim=name: Map to nameAttr Dex configuration. This will be used by Kubernetes RBAC to authorize users based on their name.
      • oidc-groups-claim=groups: This will be used by Kubernetes RBAC to authorize users based on their groups.
    • Ingress Controller available.
    • Automatic certificate requests for Kubernetes (ex: https://github.com/jetstack/cert-manager)

  • An available LDAP server

Helm chart

Helm chart is available here.

Login application

  • Create the auth namespace:
kubectl create ns auth
  • Create resources:
# CA (letsencrypt) configmap
kubectl create -f ca-cm.yml
# Login App configuration
kubectl create -f loginapp-cm.yml
# Login App Ingress and SVC
kubectl create -f loginapp-ing-svc.yml
# Login App Deployment
kubectl create -f loginapp-deploy.yml

It should fail because Dex is not deployed.

Dex

CRD

We will use Kubernetes Custom Resource Definitions (https://kubernetes.io/docs/concepts/api-extension/custom-resources/) as Dex storage backend.

kubectl create -f dex-crd.yml

Deployment

  • Create Dex resources:
# Dex configuration
kubectl create -f dex-cm.yml
# Dex ingress and service
kubectl create -f dex-ing-svc.yml
# Dex deployment
kubectl create -f dex-deploy.yml

Now it should work: try https://login.k8s.example.org, login and retrieve k8s configuration.

kubectl --token=token get pods -n auth
Error from server (Forbidden): pods is forbidden: User "<oidc-issuer-url>#<name>" cannot list pods in the namespace "auth"

User prefix can be updated with the --oidc-username-prefix apiserver option.

  • Create ClusterRoleBinding resource:
kubectl create -f crb-all-auth.yml

Try again:

kubectl --token=$token get po
NAME                        READY     STATUS    RESTARTS   AGE
dex-6f6568d499-m89z6        1/1       Running   0          7m
loginapp-6474748f4b-gb5kb   1/1       Running   0          8m
loginapp-6474748f4b-prq25   1/1       Running   0          8m
loginapp-6474748f4b-vnvnb   1/1       Running   0          8m
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].