Powered By GitBook
kubernetes-auth-openid-rbac
A sample process that shows how to use Google Accounts with Kubernetes cluster with role-based access control (RBAC) authorization mode.
Contributed by the Google Cloud community. Not official Google documentation.
In this tutorial you set up authentication and authorization to your own Kubernetes cluster using your Google account with the help of role-based access control (RBAC) and OpenID Connect. RBAC was introduced in the Kubernetes 1.6 article, RBAC Support in Kubernetes, and was based on Micah Hausle's Reduce administrative toil with Kubernetes 1.3.

Objectives

    Creating a Google API Console project and client ID
    Setting up a Kubernetes cluster with kubeadm
    Generating a local user's credentials
    Granting permissions

Creating a Google API Console project and client ID

    2.
    From the project drop-down, select an existing project, or create a new one by selecting Create a new project.
    3.
    In the sidebar under API Manager, select Credentials, then select the OAuth consent screen tab.
    4.
    Choose an Email Address, specify a Product Name, and submit Save.
    5.
    In the Credentials tab, select the New credentials drop-down list, and choose OAuth client ID.
    6.
    Under Application type, select Other.
    7.
    From the resulting OAuth client dialog box, copy the Client ID. The Client ID lets your app access enabled Google APIs.
    8.
    Download the client secret JSON file of the credentials.

Setting up a Kubernetes cluster

After initializing the master instance, you need to update the kube api server arguments in the /etc/kubernetes/manifests/kube-apiserver.yaml. Each argument should be on a separate line. More information about the OIDC attributes can be found in the Authenticating reference documentation.
1
sed -i "/- kube-apiserver/a\ - --oidc-issuer-url=https://accounts.google.com\n - --oidc-username-claim=email\n - --oidc-client-id=[YOUR_GOOGLE_CLIENT_ID]" /etc/kubernetes/manifests/kube-apiserver.yaml
Copied!
Add any network CNI plugin and the cluster is ready. Copy /etc/kubernetes/admin.conf to local ~/.kube/config and change the cluster ip.
1
kubectl get nodes
Copied!
Output appears as follows:
1
NAME STATUS AGE VERSION
2
ip-10-9-11-30 Ready 15m v1.6.1
Copied!

Generating local user credentials

    1.
    Install the helper on the client machine. Run the following command:
    1
    go get github.com/micahhausler/k8s-oidc-helper
    Copied!
    2.
    Generate a user's credentials for kube config. Run the following command:
    1
    k8s-oidc-helper -c path/to/client_secret_[CLIENT_ID].json
    Copied!
    This command should open the browser and ask permissions. After that, it provides you a token in the browser. Copy it and paste to the terminal for k8s-oidc-helper. The output of the command should look as follows:
    1
    # Add the following to your ~/.kube/config
    2
    ​
    3
    users:
    5
    user:
    6
    auth-provider:
    7
    config:
    8
    client-id: 32934980234312-9ske1sskq89423480922scag3hutrv7.apps.googleusercontent.com
    9
    client-secret: ZdyKxYW-tCzuRWwB3l665cLY
    10
    id-token: eyJhbGciOiJSUzI19fvTKfPraZ7yzn.....HeLnf26MjA
    11
    idp-issuer-url: https://accounts.google.com
    12
    refresh-token: 18mxeZ5_AE.jkYklrMAf5.IMXnB_DsBY5up4WbYNF2PrY
    13
    name: oidc
    Copied!
    3.
    Copy everything after users: and append it to your existing user list in the ~/.kube/config. Now you have 2 users: one from the new cluster configuration and one that you added.

Verifying the token

Test the id-token using https://jwt.io/. Be sure that you have "email_verified": true in the decoded message. Test connection of the new user:
1
kubectl [email protected] get nodes
Copied!
This results in the following output:
1
Error from server (Forbidden): User "[email protected]" cannot list nodes at the cluster scope. (get nodes)
Copied!
This error message proves that id-token and api server arguments work and email is extracted from a request.

Granting permissions

For now, grant admin rights to the user [email protected] with an authorization specification:
1
kind: ClusterRole
2
apiVersion: rbac.authorization.k8s.io/v1alpha1
3
metadata:
4
name: admin-role
5
rules:
6
- apiGroups: ["*"]
7
resources: ["*"]
8
verbs: ["*"]
9
---
10
kind: ClusterRoleBinding
11
apiVersion: rbac.authorization.k8s.io/v1alpha1
12
metadata:
13
name: admin-binding
14
subjects:
15
- kind: User
17
roleRef:
18
kind: ClusterRole
19
name: admin-role
Copied!
After applying changes by using kubectl create -f admin.yaml, Do the test again:
1
$ kubectl [email protected] get nodes
Copied!
Output:
1
NAME STATUS AGE VERSION
2
ip-10-9-11-30 Ready 20m v1.6.1
Copied!
You now have a Kubernetes cluster with authorization by email. Plus, you don't need to generate a new OpenID for new clusters.
Last modified 7mo ago