kubectl with OpenID Connect

TL;DR

Kubernetes authentication with Google Identity Platform

Getting Started

1. Setup your OpenID Connect Provider

2. Setup your Kubernetes API Server

spec:
kubeAPIServer:
oidcClientID: kubernetes
oidcGroupsClaim: groups
oidcIssuerURL: https://keycloak.example.com/auth/realms/hello
       oidc:
enabled: true
issuerUrl: https://keycloak.example.com/auth/realms/hello
clientId: kubernetes
groupsClaim: groups

3. Setup kubectl with kubelogin

# Homebrew
brew install int128/kubelogin/kubelogin

# Krew
kubectl krew install oidc-login
users:
- name: keycloak
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
command: kubectl
args:
- oidc-login
- get-token
- --oidc-issuer-url=https://issuer.example.com
- --oidc-client-id=YOUR_CLIENT_ID
- --oidc-client-secret=YOUR_CLIENT_SECRET
kubectl get pods
Login page of Keycloak
% kubectl get pods
Open http://localhost:8000 for authentication
You got a valid token until 2019-05-18 10:28:51 +0900 JST
Error from server (Forbidden): pods is forbidden: User "https://keycloak.example.com/auth/realms/hello#874c4a74-faf3-45a0-bcfe-9ddf4fb802ea" cannot list pods in the namespace "default"
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: oidc-admin-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: User
name: https://keycloak.example.com/auth/realms/hello#874c4a74-faf3-45a0-bcfe-9ddf4fb802ea
% kubectl get pods
NAME READY STATUS RESTARTS AGE
echoserver-86c78fdccd-nzmd5 1/1 Running 0 26d

Wrap up

See also

--

--

Software Engineer at https://github.com/int128

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store