search

kubermatic / dashboard

Dashboard For The Kubermatic Kubernetes Platform
https://www.kubermatic.com
Other
42 stars 62 forks source link

Provide 'kube oidc-login' command at the "share cluster page" #3045

Open toschneck opened 3 years ago

toschneck commented 3 years ago

What is the problem, where is it and why is it an issue? Currently if a user wants to authenticate by OIDC he get this link to authorize and get his current valid kubeconfig. If this kubeconfig invalid he needs to do the same step again.

Suggest how to fix it, if possible

As Christoph used kubelogin in his blog post https://www.kubermatic.com/blog/kubeone-oidc-authentication-audit-logging/, we could also provide the parameterized kubelogin command to the end users, so they can store this command and login whenever is needed directly from the CLI

kubectl oidc-login setup \
  --oidc-issuer-url=https://dex.controlplane.example.com/dex \
  --oidc-client-id= \
  --oidc-client-secret=

Not sure how to handle ID and secret, but in general this would improve the usability. image.png

maciaszczykm commented 3 years ago

Changing estimate as the API endpoint will be required too.

maciaszczykm commented 3 years ago

@toschneck After investigation, some work on the UI and the API and chat with @zreigz and @floreks, I would like to discuss it with you too. We can do it here or setup a meeting if you want. Let me know what would you prefer.

Unfortunately getting the OIDC params (issuer URL, client ID and client secret) of user cluster is not straight-forward. There is oidc field in the cluster spec and it should contain all the required stuff, but it seems we are not using it at all. It was empty for all clusters that I've created. I think it may be some leftover from the past or a thing that is used by our customers but not us.

The OIDC params that can be found in the kubeconfig that can be downloaded using the share cluster dialog seem to be global, not cluster-specific. We think that exposing them may bring security risks, especially because there would be not additional OIDC auth before user can copy the command, like it is done before the kubeconfig can be downloaded.

What do you think? How should we proceed?

maciaszczykm commented 3 years ago

I'd like to involve SIG security here. What do you think about it? Which params should be safe to use in this context?