Secure Your Kubernetes Cluster with Google OIDC

  1. kuber.example.org where you can access your Kubernetes dashboard using Google OIDC

Versions

  • kubectl: 1.8.6
  • Kubernetes: 1.8.6 w/ RBAC enabled
  • Kops: 1.8

Tools

Step 1 — Setup a OIDC application in Google

Step 2 — Configure the Kubernetes API Server

kubeAPIServer:
oidcClientID: REDACTED.apps.googleusercontent.com
oidcIssuerURL: "https://accounts.google.com"
oidcUsernameClaim: email

Step 3 — Create TLS Certs using LetsEncrypt

./acme.sh — issue -d "kuber.example.org" — dns dns_aws — keylength ec-256
.acme.sh output

Step 4 — Create Nginx Ingress

Nginx Ingress Basics

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/namespace.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/default-backend.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/configmap.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/tcp-services-configmap.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/udp-services-configmap.yaml

Nginx Ingress RBAC

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/rbac.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/with-rbac.yaml

Nginx Ingress AWS ELB

kubectl patch deployment -n ingress-nginx nginx-ingress-controller — type=’json’ \
— patch=”$(curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/publish-service-patch.yaml)"
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/aws/service-l4.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/aws/patch-configmap-l4.yaml

Step 5 — Setup your route53 for new ELB

Step 6 — Setup Proxy for Dashboard AuthN

brew tap tazjin/kontemplate https://github.com/tazjin/kontemplate
brew install kontemplate
kubectl create secret \
-n kube-system \
generic \
kube-dashboard-secrets \
— from-literal=client_id=REDACTED.apps.googleusercontent.com \
— from-literal=client_secret=REDACTED \
— from-literal=session=enGCuITaBPHQtpZSxhcivw==
kubectl create secret tls kuberos-tls-secret 
\— key ‘/Users/noqcks/.acme.sh/*.example.org_ecc/*.example.org.key’ \— cert ‘/Users/noqcks/.acme.sh/*.example.org_ecc/*.example.org.cer’
\-n kube-system
kontemplate template cluster.yaml -i oidc-proxy-dashboard
kontemplate apply cluster.yaml -i oidc-proxy-dashboard

Step 7 — Setup Proxy for Kubectl AuthN

kubectl create secret \
-n kube-system \
generic \
kuberos-secret \
— from-literal=secret={{ OIDC client secret here }}
kontemplate apply cluster.yaml -i kuberos
The kuberos web service.
Mar 21 17:47:07 ip-172–20–58–238 kube-apiserver-audit.log Metadata
{
“kind”:”Event”,
“apiVersion”:”audit.k8s.io/v1beta1",
“metadata”:{
“creationTimestamp”:”2018–03–21T21:47:07Z”
},
“level”:”Metadata”,
“timestamp”:”2018–03–21T21:47:07Z”,
“auditID”:”20ac14d3–1214–42b8-af3c-31454f6d7dfb”,
“stage”:”RequestReceived”,
“requestURI”:”/api/v1/namespaces/default/persistentvolumeclaims”,
“verb”:”list”,
“user”:{
“username”:”benjamin.visser@example.org”,
“groups”:[
“system:authenticated”
]
},
“sourceIPs”:[
“172.20.66.233”
],
“objectRef”:{
“resource”:”persistentvolumeclaims”,
“namespace”:”default”,
“apiVersion”:”v1"
},
“requestReceivedTimestamp”:”2018–03–21T21:47:07.603214Z”,
“stageTimestamp”:”2018–03–21T21:47:07.603214Z”
}

--

--

--

I talk about Kubernetes / Deep Learning / DevOps Lead @AdaSupport

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How we Reimagined Data Storage

OpenAdmin Write-up

Kaspa (Black Tuesday)

Playwright on Jenkins at scale with HTML reports

Email Delivery Setup with Sendmail in Oracle Cloud

Symfony Examples of API Endpoints to Download Files

A Guide to Update Gems with bundle update

DRUPAL MODULE- META TAG

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Benji Visser

Benji Visser

I talk about Kubernetes / Deep Learning / DevOps Lead @AdaSupport

More from Medium

Kubernetes v1.22.5 - Troubleshooting with Docker Desktop 4.7.1

Problem DataBase PostgreSQL Hight Availability Postgres HA Issues

K8s deployments using Spinnaker

Redis cluster in Kubernetes with Pre-provisioned PersistentVolume(PV) and…