Skip to content
Kubernetes - LDAP authentication with Dex
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
ca-cm.yml Init Dec 28, 2017
crb-all-auth.yml add clusterRole and ClusterRoleBinding, update readme (#11) Mar 5, 2019
loginapp-deploy.yml Init Dec 28, 2017
loginapp-ing-svc.yml Init Dec 28, 2017

Kubernetes - LDAP authentication with Dex


This deployment follows Dex by CoreOS & Kubernetes Documentations:


  • DNS entries:

    • --> Dex OIDC provider
    • --> Custom Login Application
  • Kubernetes cluster available with the following requirements:

    • RBAC enabled
    • OIDC authentication enabled. API server configuration:
      • --oidc-issuer-url= External Dex endpoint
      • --oidc-client-id=loginapp: ID for our Login Application
      • --oidc-ca-file=/etc/kubernetes/ssl/letsencrypt.pem: Letsencrypt CA file because we will use automatic certificate requests.
      • --oidc-username-claim=name: Map to nameAttr Dex configuration. This will be used by Kubernetes RBAC to authorize users based on their name.
      • oidc-groups-claim=groups: This will be used by Kubernetes RBAC to authorize users based on their groups.
    • Ingress Controller available.
    • Automatic certificate requests for Kubernetes (ex:
  • An available LDAP server

Helm chart

Helm chart is available here.

Login application

  • Create the auth namespace:
kubectl create ns auth
  • Create resources:
# CA (letsencrypt) configmap
kubectl create -f ca-cm.yml
# Login App configuration
kubectl create -f loginapp-cm.yml
# Login App Ingress and SVC
kubectl create -f loginapp-ing-svc.yml
# Login App Deployment
kubectl create -f loginapp-deploy.yml

It should fail because Dex is not deployed.



We will use Kubernetes Custom Resource Definitions ( as Dex storage backend.

kubectl create -f dex-crd.yml


  • Create Dex resources:
# Dex configuration
kubectl create -f dex-cm.yml
# Dex ingress and service
kubectl create -f dex-ing-svc.yml
# Dex deployment
kubectl create -f dex-deploy.yml

Now it should work: try, login and retrieve k8s configuration.

kubectl --token=token get pods -n auth
Error from server (Forbidden): pods is forbidden: User "<oidc-issuer-url>#<name>" cannot list pods in the namespace "auth"

User prefix can be updated with the --oidc-username-prefix apiserver option.

  • Create ClusterRoleBinding resource:
kubectl create -f crb-all-auth.yml

Try again:

kubectl --token=$token get po
NAME                        READY     STATUS    RESTARTS   AGE
dex-6f6568d499-m89z6        1/1       Running   0          7m
loginapp-6474748f4b-gb5kb   1/1       Running   0          8m
loginapp-6474748f4b-prq25   1/1       Running   0          8m
loginapp-6474748f4b-vnvnb   1/1       Running   0          8m
You can’t perform that action at this time.