k0sproject / k0s

k0s - The Zero Friction Kubernetes
https://docs.k0sproject.io
Other
3.82k stars 368 forks source link

`k0s kubeconfig` should support OIDC #4481

Open jnummelin opened 6 months ago

jnummelin commented 6 months ago

Is your feature request related to a problem? Please describe.

When I configure OIDC for a cluster I need to manually craft the user kubeconfigs

Describe the solution you would like

It would be nice if k0s kubeconfig command would be able to detect the OIDC config and spit out working kubeconfig for the user. For example If I have in cluster config:

apiVersion: k0s.k0sproject.io/v1beta1
kind: ClusterConfig
spec:
  api:
    extraArgs:
      oidc-issuer-url: <issuer-url>
      oidc-client-id: <client-id>
      oidc-username-claim: email # we use email token claim field as a username

k0s should detect that and generate the corresponding client config:

users:
- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: kubectl
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=ISSUER_URL
      - --oidc-client-id=YOUR_CLIENT_ID
      - --oidc-client-secret=YOUR_CLIENT_SECRET

We cannot support all oidc login tools of course but kubelogin seems to be generic enough to work with most providers.

Describe alternatives you've considered

No response

Additional context

No response

twz123 commented 6 months ago

I'm not in favor of adding support for third-party stuff that needs to be installed on the client side when generating stuff on the server side.

danielskowronski commented 1 week ago

Are there any plans to support some OIDC out of the box? Even the simplest Keycloak (via managed Helm and managed server-side flags in Cluster spec) would make it easier for new users who would want to use any form of secure auth.

I agree that k0s should probably leave client auth for k0stcl install/management purposes with main "admin" kubeconfig that uses a certificate, but having the option to easily onboard some OIDC auth for regular k8s users would be nice.

jnummelin commented 6 days ago

but having the option to easily onboard some OIDC auth for regular k8s users would be nice.

@danielskowronski I'm not sure what you mean by this? Configuring an OIDC provider is pretty straightforward via api servers flags