Implement OIDC authn for Kubernetes

30x / project-management

Tasks not specific to a given project, exploratory stuff and project management

0 stars 0 forks source link

Implement OIDC authn for Kubernetes #137

Open whitlockjc opened 8 years ago

whitlockjc commented 8 years ago

Now that we know we can use Apigee's SSO for Kubernetes authentication, we need to get the SSO deployed in a way to allow for it and configure the Kubernetes API Servers to consume it.

whitlockjc commented 7 years ago

We need to ensure we work together with @mpnally to make sure we use the proper JWT claim for identifying the user. This will have an impact on the Kubernetes authz webhook (https://github.com/30x/project-management/issues/162).

whitlockjc commented 7 years ago

Based on the way the permission service works now, we need to use the sub claim. Since --oidc-username-claim defaults to sub, we can just omit this flag for now or explicitly set it to sub.

whitlockjc commented 7 years ago

Useful link on how to setup ~/.kube/config to do automatic token refreshing:

https://github.com/TremoloSecurity/wiki/blob/master/kubernetes.md#option-1---oidc-authenticator