search

siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.
https://www.talos.dev
Mozilla Public License 2.0
6.63k stars 531 forks source link

OpenID Connect (OIDC) authentication support #3306

Open bzub opened 3 years ago

bzub commented 3 years ago

Feature Request

Description

We use oidc to map LDAP/Active directory users/groups to RBAC resources for kubernetes auth. https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

Would be nice if we could do the same for Talos API, even if it's not as granular as RBAC (admin only).

Ulexus commented 3 years ago

This should probably plug into dex, rather than building it out ourselves.

devopstales commented 2 years ago

Hi @Ulexus. I think you misunderstand this ticket. The kubernetes api-server has an ability to authenticate users not just wit certificates but wit JWT tokens. This token is generated by an OpenID authentication provider (the authentication provider can be Dax, keycloak .. etc). To do the authentication the kubernetes api-server needs a configuration to know where the authentication provider and how to use it. This ticket is about that configuration, and it is valid because at the moment there is no option in altos to add this kind of configuration, or just not documented.

Ulexus commented 2 years ago

@devopstales Is there something lacking right now? You can pass all of the OIDC configuration options to kube-apiserver via extraArgs: https://www.talos.dev/v1.0/reference/configuration/#apiserverconfig

kingdonb commented 7 months ago

Just to follow up, I think this issue could maybe use some elaboration in the docs, but the standard I needed talos to live up to, it's meeting and exceeding, (extraArgs in the apiServer block are processed and the docs show it is possible)

The link moved here: https://www.talos.dev/v1.6/reference/configuration/v1alpha1/config/#Config.cluster.apiServer

I was able to bring my Dex install from a config that I brought over from Weave GitOps Enterprise (for Dex, upstream) - hosted outside of the new Talos cluster - and connect Dex as an auth source with the Talos Kubernetes ApiServer, no unexpected issues.

Nb only that this is apiServer.extraArgs which has no stub in the default machine config, not kubelet.extraArgs that does have a stub. IDK if a missing stub in the default machine config is a bug, I wouldn't think so, anyway it is in the docs.

I made this error while I was fumbling through my first talos machine config edit, then the kubelet failed to launch on reboot, but it was recoverable by editing the machine configuration again, and putting extraArgs in the apiServer section where it goes. (Thanks for mentioning it here! I think you're right, this is a fine and supported config, maybe under-documented.)

github-actions[bot] commented 1 month ago

This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.

kingdonb commented 1 month ago

I think the original poster was asking to authenticate admin users of the Talos API with OIDC, not Kubernetes API. I arrived here looking for docs about the latter, didn't read the report correctly, anyway those are two separate things - you can configure the Kubernetes API to accept OIDC auth, but is there similar for Talos API? I don't think so. (Could there be?)

Maybe it's already possible to add OIDC to the Omni server, not sure if that would moot the issue or not.