Kubernetes Day 2 Operations: AuthN/AuthZ with OIDC and a Little Help From Keycloak

What getting started with Kubernetes can feel like.
  • Client ID — The public unique name for this OIDC configuration. All tokens will be issued for this ID.
  • Client Secret — A shared secret used to authenticate the the client or application (kubectl or kubernetes) and the Identity Provider.
  • Issuer URL — The address of the OIDC Identity Provider.
  • Redirect URL — A URL to redirect the user to after successful authorization.
  • Scope — A request for access (permission) by a client or application to information about the identity. These are the messages you see when you login with a Social Login and the app requests permission to access your email, name etc.
  • Claim — The actual attributes attached to the identity. These are the attributes the scope is requesting access e.g. your name, your email address etc. They can be extended to contain a list of groups the identity belongs to, or other seeded information. OIDC has a standard set of profile claims that are widely supported.

Configuring Kubernetes

  • oidc-issuer-url — URL of our OIDC Identity Provider.
  • oidc-client-id — The unique name for this client, generated by your OIDC provider.
  • oidc-username-claim — This is sub by default, but sub can vary depending on your OIDC provider, or may not be friendly (e.g. a uuid). Other friendlier claims will have the full oidc-issuer-url prepended to the claim name. The exception for this is the email claim. It is for this reason that I strongly advocate for using email as the oidc-username-claim.
  • oidc-username-prefix — A string thats inserted in front of the username to both signify that it’s an OIDC user and prevent possible clashing with an account that’s already present. Default is oidc: e.g. oidc:bob@example.com
  • oidc-groups-claim — The name of the claim to map to groups within Kubernetes.
  • oidc-groups-prefix — String that is inserted in front of the group name to prevent clashing. Default is oidc: e.g. oidc:/kubernetes-users
  • oidc-ca-file — Path to the CA certificate that signed the certificate of the Identity Provider.

Obtaining a Token and Configuring Kubectl

kubectl config set-credentials <username> \
--auth-provider=oidc \
--auth-provider-arg=idp-issuer-url=<oidc-issuer-url> \
--auth-provider-arg=client-id=<oidc-client-id> \
--auth-provider-arg=client-secret=<oidc-client-secret> \
--auth-provider-arg=id-token=<oidc-id-token> \
--auth-provider-arg=refresh-token=<oidc-refresher-token> \
$ kubectl get pods
Error from server (Forbidden): pods is forbidden: User "oidc:<email_address>" cannot list pods in the namespace "default"

Role Based Access Control (RBAC)

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
namespace: default
name: pod-reader
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
name: oidc-cluster-admins
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
- apiGroup: rbac.authorization.k8s.io
kind: User
name: oidc:admin@example.com
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: oidc:/cluster-admins
$ kubectl get pods
keycloak-0 1/1 Running 2 1d
postgresql-0 1/1 Running 2 1d

With That…


$ kubectl config set-context oidckube-admin \
--cluster=minikube \
--user=admin@keycloak.devlocal \
$ kubectl config use-context oidckube-admin





Research Cloud Administrator @ University of Michigan | http://arc-ts.umich.edu/ | CNCF Ambassador | OSS and Open Science Advocate | https://mrbobbytabl.es

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CSS Grid Series — Nesting Grid with Album Layouts

Terra Master TD2 Thunderbolt 3 2-Bay DAS review | Vic B’Stard’s State of Play

The Perfect Scrum Master? Make Mistakes and Get Better!

Localization — Laravel Localization Example

Localization — Laravel Localization Example

Let’s Make a Cache in Go

What is CAP Theorem? Distributed Systems


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bob Killen

Bob Killen

Research Cloud Administrator @ University of Michigan | http://arc-ts.umich.edu/ | CNCF Ambassador | OSS and Open Science Advocate | https://mrbobbytabl.es

More from Medium

Interprocess Communication in Microservices

How to deploy Scalar DB Server on Kubernetes

Opentelementry auto-instrumentation Configuration for GRPC based java application- Part1 (APM…

Kustomize - template-free Kubernetes application management