Open bzub opened 3 years ago
This should probably plug into dex, rather than building it out ourselves.
Hi @Ulexus. I think you misunderstand this ticket. The kubernetes api-server has an ability to authenticate users not just wit certificates but wit JWT tokens. This token is generated by an OpenID authentication provider (the authentication provider can be Dax, keycloak .. etc). To do the authentication the kubernetes api-server needs a configuration to know where the authentication provider and how to use it. This ticket is about that configuration, and it is valid because at the moment there is no option in altos to add this kind of configuration, or just not documented.
@devopstales Is there something lacking right now? You can pass all of the OIDC configuration options to kube-apiserver via extraArgs
: https://www.talos.dev/v1.0/reference/configuration/#apiserverconfig
Just to follow up, I think this issue could maybe use some elaboration in the docs, but the standard I needed talos to live up to, it's meeting and exceeding, (extraArgs
in the apiServer
block are processed and the docs show it is possible)
The link moved here: https://www.talos.dev/v1.6/reference/configuration/v1alpha1/config/#Config.cluster.apiServer
I was able to bring my Dex install from a config that I brought over from Weave GitOps Enterprise (for Dex, upstream) - hosted outside of the new Talos cluster - and connect Dex as an auth source with the Talos Kubernetes ApiServer, no unexpected issues.
Nb only that this is apiServer.extraArgs
which has no stub in the default machine config, not kubelet.extraArgs
that does have a stub. IDK if a missing stub in the default machine config is a bug, I wouldn't think so, anyway it is in the docs.
I made this error while I was fumbling through my first talos machine config edit, then the kubelet failed to launch on reboot, but it was recoverable by editing the machine configuration again, and putting extraArgs
in the apiServer
section where it goes. (Thanks for mentioning it here! I think you're right, this is a fine and supported config, maybe under-documented.)
This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.
I think the original poster was asking to authenticate admin users of the Talos API with OIDC, not Kubernetes API. I arrived here looking for docs about the latter, didn't read the report correctly, anyway those are two separate things - you can configure the Kubernetes API to accept OIDC auth, but is there similar for Talos API? I don't think so. (Could there be?)
Maybe it's already possible to add OIDC to the Omni server, not sure if that would moot the issue or not.
Feature Request
Description
We use oidc to map LDAP/Active directory users/groups to RBAC resources for kubernetes auth. https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
Would be nice if we could do the same for Talos API, even if it's not as granular as RBAC (admin only).