Skip to content
Kubernetes - LDAP authentication with Dex
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
charts
LICENSE
README.md
ca-cm.yml Init Dec 28, 2017
crb-all-auth.yml add clusterRole and ClusterRoleBinding, update readme (#11) Mar 5, 2019
dex-cm.yml
dex-crd.yml
dex-deploy.yml
dex-ing-svc.yml
loginapp-cm.yml
loginapp-deploy.yml Init Dec 28, 2017
loginapp-ing-svc.yml Init Dec 28, 2017
rbac.yml

README.md

Kubernetes - LDAP authentication with Dex

Docs

This deployment follows Dex by CoreOS & Kubernetes Documentations:

Requirements

  • DNS entries:

    • dex.k8s.example.com --> Dex OIDC provider
    • login.k8s.example.com --> Custom Login Application
  • Kubernetes cluster available with the following requirements:

    • RBAC enabled
    • OIDC authentication enabled. API server configuration:
      • --oidc-issuer-url=https://dex.k8s.example.com/dex: External Dex endpoint
      • --oidc-client-id=loginapp: ID for our Login Application
      • --oidc-ca-file=/etc/kubernetes/ssl/letsencrypt.pem: Letsencrypt CA file because we will use automatic certificate requests.
      • --oidc-username-claim=name: Map to nameAttr Dex configuration. This will be used by Kubernetes RBAC to authorize users based on their name.
      • oidc-groups-claim=groups: This will be used by Kubernetes RBAC to authorize users based on their groups.
    • Ingress Controller available.
    • Automatic certificate requests for Kubernetes (ex: https://github.com/jetstack/cert-manager)
  • An available LDAP server

Helm chart

Helm chart is available here.

Login application

  • Create the auth namespace:
kubectl create ns auth
  • Create resources:
# CA (letsencrypt) configmap
kubectl create -f ca-cm.yml
# Login App configuration
kubectl create -f loginapp-cm.yml
# Login App Ingress and SVC
kubectl create -f loginapp-ing-svc.yml
# Login App Deployment
kubectl create -f loginapp-deploy.yml

It should fail because Dex is not deployed.

Dex

CRD

We will use Kubernetes Custom Resource Definitions (https://kubernetes.io/docs/concepts/api-extension/custom-resources/) as Dex storage backend.

kubectl create -f dex-crd.yml

Deployment

  • Create Dex resources:
# Dex configuration
kubectl create -f dex-cm.yml
# Dex ingress and service
kubectl create -f dex-ing-svc.yml
# Dex deployment
kubectl create -f dex-deploy.yml

Now it should work: try https://login.k8s.example.org, login and retrieve k8s configuration.

kubectl --token=token get pods -n auth
Error from server (Forbidden): pods is forbidden: User "<oidc-issuer-url>#<name>" cannot list pods in the namespace "auth"

User prefix can be updated with the --oidc-username-prefix apiserver option.

  • Create ClusterRoleBinding resource:
kubectl create -f crb-all-auth.yml

Try again:

kubectl --token=$token get po
NAME                        READY     STATUS    RESTARTS   AGE
dex-6f6568d499-m89z6        1/1       Running   0          7m
loginapp-6474748f4b-gb5kb   1/1       Running   0          8m
loginapp-6474748f4b-prq25   1/1       Running   0          8m
loginapp-6474748f4b-vnvnb   1/1       Running   0          8m
You can’t perform that action at this time.