Make kubernetes login available with oidc - Githubissues

go-zen-chu / ubuntu-k8s-playbook

kubernetes cluster build on ubuntu 22.04

MIT License

1 stars 0 forks source link

Make kubernetes login available with oidc #10

Open go-zen-chu opened 3 months ago

go-zen-chu commented 3 months ago

Why

we want our k8s cluster can login using OIDC authentication

Proposal

support oidc login from internet
- e.g. google cloud OIDC

Why not use client certificate?

Yeah, it's easier to just use client certificate auth in api-server even when you want access from the internet.
- I just don't want to bring client cert key to other pcs

What

set oidc provider to kube-apiserver
setup google oidc setting
install https://github.com/int128/kubelogin
open kube-apiserver to public

go-zen-chu commented 1 month ago

How can we set apiserver option in k3s?

k3s config https://docs.k3s.io/installation/configuration#multiple-config-files
- apiserver config can be set here : https://docs.k3s.io/security/hardening-guide?_highlight=apiserver&_highlight=config#configuration-for-kubernetes-components

kube-apiserver-arg:
- "oidc-issuer-url=https://accounts.google.com"
- "oidc-client-id=<YOUR_CLIENT_ID>"
- "oidc-username-claim=email"
- "authorization-mode=RBAC"