Kubernetes Authentication with GitHub OAuth and Dex
I present to your attention a tutorial for generating access to a Kubernetes cluster using Dex, dex-k8s-authenticator and GitHub.
Local meme from the Russian-language Kubernetes chat in Telegram
Introduction
We use Kubernetes to create dynamic environments for the development team and QA. So we want to give them access to the cluster for both the dashboard and kubectl. Unlike the same OpenShift, vanilla Kubernetes does not have native authentication, so we use third-party tools for this.
GitHub - simply because we use GitHub in our company
We tried to use Google OIDC, but unfortunately we failed to start them with groups, so the integration with GitHub suited us just fine. Without group mapping, it will not be possible to create group-based RBAC policies.
So, how does our Kubernetes authorization process work in a visual representation:
Authorization process
A little more detail and point by point:
User logs into dex-k8s-authenticator (login.k8s.example.com)
dex-k8s-authenticator redirects the request to Dex (dex.k8s.example.com)
Dex redirects to GitHub login page
GitHub generates the required authorization information and returns it to Dex
Dex passes the received information to dex-k8s-authenticator
User gets OIDC token from GitHub
dex-k8s-authenticator adds token to kubeconfig
kubectl passes token to KubeAPIServer
KubeAPIServer based on the passed token returns access to kubectl
User accesses from kubectl
Preparatory Actions
Of course, we already have a Kubernetes cluster installed (k8s.example.com), as well as HELM pre-installed. We also have an organization on GitHub (super-org).
If you don't have HELM, install it very simple.
First we need to set up GitHub.
Go to the organization settings page, (https://github.com/organizations/super-org/settings/applications) and create a new application (Authorized OAuth App):
Create a new app on GitHub
Fill in the fields with the required URLs, for example:
Be careful with links, it is important not to lose slashes.
In response to the completed form, GitHub will generate Client ID ΠΈ Client secret, save them in a safe place, they will be useful to us (for example, we use Vault for keeping secrets):
Go to login pagehttps://login.k8s.example.com) and log in with a GitHub account:
Authorization page
Authorization page redirected to GitHub
Follow the generated instructions to gain access
After copy-pasting from the web page, we can use kubectl to manage our cluster resources:
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
And it works, all GitHub users in our organization can see resources and log into pods, but they don't have permission to change them.