How do I update an on-premise Kubernetes API server to enable OIDC with Dex?

2
votes

We have an on-premise kubernetes deployment in our data center. I just finished deploying the pods for Dex, configured hooked up with our LDAP server to allow LDAP based authentication via Dex, ran tests and was able to retrieve the OpenID connect token for authentication.

Now I would like to change our on-premise k8s API server startup parameters to enable OIDC and point it to the Dex container.

How do I enable OIDC to the API server startup command without downtime to our k8s cluster? Was reading this doc https://kubernetes.io/docs/reference/access-authn-authz/authentication/ but the site just says "Enable the required flags" without the steps

Thanks!

2
kubernetesopenid-connectkubernetes-apiserver

2 Answers

3
votes

I installed Dex + Active Directory Integration few months ago on a cluster installed by kubeadmn .

Let's assume that Dex is now running and it can be accessible thru https://dex.example.com .

In this case,..

Enabling ODIC at the level of API server has 3 steps :

These steps have to be done on each of your Kubernetes master nodes.

1- SSH to your master node.

$ ssh root@master-ip

2- Edit the Kubernetes API configuration.

Add the OIDC parameters and modify the issuer URL accordingly.

$ sudo vim /etc/kubernetes/manifests/kube-apiserver.yaml
...
    command:
    - /hyperkube
    - apiserver
    - --advertise-address=x.x.x.x
... 

    - --oidc-issuer-url=https://dex.example.com # <-- 🔴 Please focus here
    - --oidc-client-id=oidc-auth-client # <-- 🔴 Please focus here
    - --oidc-username-claim=email # <-- 🔴 Please focus here
    - --oidc-groups-claim=groups # <-- 🔴 Please focus here
...

3- The Kubernetes API will restart by itself.

I recommend also to check a full guide like this tuto.

1
votes

The OIDC flags are for Kubernetes API Server. You have not mentioned how you have installed Kubernetes on prem. Ideally you should have multiple master nodes fronted by a LoadBalancer.

So you would disable traffic to one master node from the loadbalancer and login to that master node and edit the manifest of api server in /etc/kubernetes/manifests and add the OIDC flags. Once you change the manifest api server pod will be restarted automatically.

You repeat the same process for all master nodes and since at any given point in time you have at least one master node available there should not be any downtime.