Skip to content
Kubernetes - LDAP authentication with Dex
Branch: master
Clone or download
Pull request Compare This branch is 7 commits ahead, 11 commits behind ObjectifLibre:master.
Latest commit eda1b66 Jul 18, 2018

Kubernetes - LDAP authentication with Dex


This deployment follows Dex by CoreOS & Kubernetes Documentations:


  • DNS entries: (Since this configuration uses NodePort, these can be CNAMEs to your kubernetes nodes)

    • --> Dex OIDC provider
    • --> Custom Login Application
  • Kubernetes cluster available with the following requirements:

    • RBAC enabled
    • OIDC authentication enabled. API server configuration:
      • --oidc-issuer-url= External Dex endpoint
      • --oidc-client-id=loginapp: ID for our Login Application
      • --oidc-ca-file=/etc/kubernetes/ssl/ca.pem: CA file generated using below
      • --oidc-username-claim=name: Map to nameAttr Dex configuration. This will be used by Kubernetes RBAC to authorize users based on their name.
      • oidc-groups-claim=groups: This will be used by Kubernetes RBAC to authorize users based on their groups.
  • An available LDAP server

Login application

  • Create the auth namespace:
kubectl create ns auth
  • Create required SSL certs and secrets (make sure to update alt_names to match your domain)
kubectl create secret tls --cert=ssl/cert.pem --key=ssl/key.pem -n auth
kubectl create secret tls --cert=ssl/cert.pem --key=ssl/key.pem -n auth
  • Create resources:
# CA ( ca.pem generated by configmap
kubectl create -f ca-cm.yml
# Login App configuration
kubectl create -f loginapp-cm.yml
# Login App service
kubectl create -f loginapp-ing-svc.yml
# Login App Deployment
kubectl create -f loginapp-deploy.yml

It should fail because Dex is not deployed.



We will use Kubernetes Custom Resource Definitions ( as Dex storage backend.

kubectl create -f dex-crd.yml


  • Create Dex resources:
# Dex configuration
kubectl create -f dex-cm.yml
# Dex service
kubectl create -f dex-ing-svc.yml
# Dex deployment
kubectl create -f dex-deploy.yml

Now assuming that you setup the DNS, this should work: try, login and retrieve k8s configuration.

You can decode the id_token to verify the returned claims using:

  • Create RBAC resource (assgin a group called "admins" cluster admin role):
kubectl create -f rbac.yml

Now copy paste the returned ~/.kube/config from loginapp and try:

kubectl get po
NAME                        READY     STATUS    RESTARTS   AGE
dex-6f6568d499-m89z6        1/1       Running   0          7m
loginapp-6474748f4b-gb5kb   1/1       Running   0          8m
loginapp-6474748f4b-prq25   1/1       Running   0          8m
loginapp-6474748f4b-vnvnb   1/1       Running   0          8m

You can also use id_token for signing on the k8s dashboard

Keycloak Proxy

You can as well use Keycloak proxy instead of loginapp to sign in directly onto dex app and pass auth headers directly to k8s dashboard. However, if you need kubectl configs for CLI, you still need loginapp. Anyway, I've included deployment and service configs for keycloak proxy here.

You can’t perform that action at this time.