I tried to use kubeprods oauth2-proxy to authenticate bitnami/kubeapps and Kubernetes-dashboard. After some analysis I found, oauth2-proxy with --provider=keycloak is not usable for this task, because it is not possible to add an authentication bearer token header to the http requests, which is needed for those apps.
So it maybe a good idea to switch to --provider=oidc in kubeprod to support this.
For everyone interested in this task: Here are my options, needed to successfully authenticate to Kubernetes dashboard with keycloak / oauth2-proxy:
Annotations for kubernetes-dashboard nginx-ingress:
nginx.ingress.kubernetes.io/auth-signin: https://auth.kubeprod.domain/oauth2/start?rd=%2F$server_name$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://auth.kubeprod.domain/oauth2/auth
# important to add the Authorization: Bearer header:
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
Hi,
I tried to use kubeprods oauth2-proxy to authenticate bitnami/kubeapps and Kubernetes-dashboard. After some analysis I found, oauth2-proxy with
--provider=keycloak
is not usable for this task, because it is not possible to add an authentication bearer token header to the http requests, which is needed for those apps.References:
So it maybe a good idea to switch to
--provider=oidc
in kubeprod to support this. For everyone interested in this task: Here are my options, needed to successfully authenticate to Kubernetes dashboard with keycloak / oauth2-proxy:OIDC options for kube-apiserver:
In keycloak add a role, for example "my-custer-admin-role", and add it to a user.
Clusterrolebinding:
Options for oauth2-proxy:
Annotations for kubernetes-dashboard nginx-ingress:
Cheers, floek