public/geek-cookbook
1
0
Fork 0
mirror of https://github.com/funkypenguin/geek-cookbook/ synced 2025-12-13 01:36:23 +00:00
Code Issues Releases Wiki Activity
Files
365cd92dd7922ad7dfcbe4c5442fd1c459c9700f
geek-cookbook/docs/kubernetes/oidc-authentication/index.md
David Young 365cd92dd7 Add Kubernetes OIDC recipes 
Signed-off-by: David Young <davidy@funkypenguin.co.nz>
2023-11-03 23:04:58 +13:00

37 lines
2.0 KiB
Markdown
Raw Blame History

---
title: Configure Kubernetes for OIDC authentication
description: How to configure your Kubernetes cluster for OIDC authentication, so that you can provide RBAC-protected access to multiple users
---
# Authenticate to Kubernetes with OIDC
So you've got a shiny Kubernetes cluster, and you're probably using the `cluster-admin` config which was created as a result of the initial bootstrap.
While this hard-coded, `cluster-admin` credential is OK while you're bootstrapping, and should be safely stored somewhere as a password-of-last-resort, you'll probably want to secure your cluster with something a little more... secure.
Consider the following downsides to a single, static, long-lived credential:
1. It can get stolen
2. It can't be shared (*you might want to give your team access to the cluster, or even a limited subset of admin access*)
3. It can't be MFA'd
4. Using it for the Kubernetes Dashboard (*copying and pasting into a browser window*) is a huge PITA
True to form, Kubernetes doesn't provide any turnkey access solution, but all the necessary primitives (*RBAC, api-server arguments, etc*) to build your own solution, starting with [authenticating and authorizing access to the apiserver](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server).
## Requirements
Securing access to Kubernetes' API server requires an OIDC provider, be it an external service like Auth0 or Octa, or a self-hosted, open-source IDP like KeyCloak or [authentik][k8s/authentik].
### Setup Provider
1. Setup [Authentik for Kubernetes API authentication](/kubernetes/authentication/authentik/)
2. KeyCloak (*coming soon*)
### Configure Kubernetes for OIDC auth
Once you've configured your OIDC provider, review the following, based on your provider and your Kubernetes platform:
#### Authentik
* [Authenticate K3s with Authentik as an OIDC provider](/kubernetes/oidc-authentication/k3s-authentik/)
* Authenticate EKS with Authentik as an OIDC provider
* Authenticate a kubeadm cluster using Authentik as an OIDC provider
Reference in New Issue View Git Blame Copy Permalink