public/geek-cookbook
1
0
Fork 0
mirror of https://github.com/funkypenguin/geek-cookbook/ synced 2025-12-13 01:36:23 +00:00
Code Issues Releases Wiki Activity

Add OIDC with KeyCloak examples

Browse Source 
Signed-off-by: David Young <davidy@funkypenguin.co.nz>
This commit is contained in:
David Young
2023-11-15 14:00:23 +13:00
parent 62480a6c0d
commit 434e13b6e1
12 changed files with 516 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
docs/kubernetes/oidc-authentication/k3s-authentik.md
View File

@@ -2,7 +2,7 @@
title: Configure K3s for OIDC authentication with Authentik
description: How to configure your K3s Kubernetes cluster for OIDC authentication with Authentik
---
# Authenticate to Kubernetes with OIDC on K3s
# Authenticate to Kubernetes with authentik OIDC on K3s
This recipe describes how to configure K3s for OIDC authentication against an [authentik][k8s/authentik] instance.
@@ -38,13 +38,11 @@ Here's the lunatic option:
--kube-apiserver-arg=oidc-client-id=kube-apiserver
--kube-apiserver-arg=oidc-username-claim=email
--kube-apiserver-arg=oidc-groups-claim=groups
--kube-apiserver-arg=oidc-username-prefix='oidc:'
--kube-apiserver-arg=oidc-groups-prefix='oidc:'
```
And here's the gentlemanly option:
Created `/etc/rancher/k3s/config.yaml`, and add:
Create `/etc/rancher/k3s/config.yaml`, and add:
```yaml title="Gentlemanly YAML config option"
kube-apiserver-arg:
@@ -52,8 +50,6 @@ kube-apiserver-arg:
- "oidc-client-id=kube-apiserver"
- "oidc-username-claim=email"
- "oidc-groups-claim=groups"
- "oidc-username-prefix='oidc:'"
- "oidc-groups-prefix='oidc:'"
```
Now restart k3s (*`systemctl restart k3s` on Ubuntu*), and confirm it starts correctly by watching the logs (*`journalctl -u k3s -f` on Ubuntu*)
@@ -76,7 +72,7 @@ kubectl oidc-login setup \
All going well, your browser will open a new window, logging you into authentik, and on the CLI you should get output something like this:
```
~ kubectl oidc-login setup --oidc-issuer-url=https://authentik.example.com/application/o/kube-apiserver/ --oidc-client-id=kube-apiserver --oidc-client-secret=cVj4YqmB4VPcq6e7 --oidc-extra-scope=profile,email
~ kubectl oidc-login setup --oidc-issuer-url=https://authentik.example.com/application/o/kube-apiserver/ --oidc-client-id=kube-apiserver --oidc-client-secret=<your secret> --oidc-extra-scope=profile,email
authentication in progress...
## 2. Verify authentication
@@ -97,7 +93,7 @@ You got a token with the following claims:
"email_verified": true,
"groups": [
"authentik Admins",
"admin-kubernetes"
"admin-kube-apiserver"
]
}
```
@@ -184,15 +180,15 @@ We've setup our K3s cluster to authenticate against authentik, running on that s
!!! summary "Summary"
Created:
* [X] EKS cluster with OIDC authentication against [authentik][k8s/authentik]
* [X] K3s cluster with OIDC authentication against [authentik][k8s/authentik]
* [X] Ability to support:
* [X] Kubernetes Dashboard (*coming soon*)
* [X] [Kubernetes Dashboard][k8s/dashboard]
* [X] Weave GitOps (*coming soon*)
* [X] We've also retained our static, IAM-based `kubernetes-admin` credentials in case OIDC auth fails at some point (*keep them safe!*)
* [X] We've also retained our static, K3s-generated `kubernetes-admin` credentials in case OIDC auth fails at some point (*keep them safe!*)
What's next?
Deploy Weave GitOps to visualize your Flux / GitOps state, and Kubernetes Dashboard for UI management of your cluster!
Deploy Weave GitOps to visualize your Flux / GitOps state, and [Kubernetes Dashboard][k8s/dashboard] for UI management of your cluster!
[^1]: Later on, as we add more applications which need kube-apiserver authentication, we'll add more redirect URIs.