Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make kube-apiserver oidc flags configurable #75

Closed
jschoone opened this issue Apr 19, 2024 · 0 comments · Fixed by #84
Closed

Make kube-apiserver oidc flags configurable #75

jschoone opened this issue Apr 19, 2024 · 0 comments · Fixed by #84
Assignees
@DEiselt
Labels
Container Issues or pull requests relevant for Team 2: Container Infra and Tooling

Comments

@jschoone
Copy link
Contributor

/kind feature

Describe the solution you'd like
As an SCS consumer I want to be able to use external auth services e.g. to use my existing IAM roles in Kubernetes.
Here are the available oidc flags.

Example
I tested with this fixed values to auth with GitHub:

apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlaneTemplate
metadata:
  name: {{ .Release.Name }}-{{ .Chart.Version }}-control-plane
spec:
  template:
    spec:
      kubeadmConfigSpec:
        clusterConfiguration:
          apiServer:
            extraArgs:
              cloud-provider: external
              oidc-client-id: kubectl
              oidc-issuer-url: https://dex.k8s.scs.community
              oidc-username-claim: preferred_username
              oidc-groups-claim: groups
              oidc-username-prefix: oidc
              oidc-groups-prefix: oidc

My username in Kubernetes then is oidcjschoone. The example value for --oidc-username-prefix is oidc: but I failed to add the colon and didn't care for the further tests.

The mentioned dex.k8s.scs.community still runs an can be used. It is configured like this:

config:
  issuer: https://dex.k8s.scs.community
  storage:
    type: memory
  connectors:
    - type: github
      id: github
      name: GitHub
      config:
        clientID: <clientID>
        clientSecret: <clientSecret>
        redirectURI: https://dex.k8s.scs.community/callback
        scopes:
          - user
          - read:org
        loadAllGroups: true
        orgs:
        - name: SovereignCloudStack
        teamNameField: slug
        useLoginAsID: true
  staticClients:
    - id: kubectl
      redirectURIs:
        - http://localhost:8000
        - http://localhost:18000
      public: true
      name: rocket
@jschoone jschoone added the Container Issues or pull requests relevant for Team 2: Container Infra and Tooling label Apr 19, 2024
@DEiselt DEiselt self-assigned this Apr 30, 2024
@DEiselt DEiselt mentioned this issue May 6, 2024
Merged
3 tasks
@DEiselt DEiselt linked a pull request May 6, 2024 that will close this issue
Make kube-apiserver oidc flags configurable #84
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DEiselt DEiselt

Labels
Container Issues or pull requests relevant for Team 2: Container Infra and Tooling
Projects
Sovereign Cloud Stack
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make kube-apiserver oidc flags configurable SovereignCloudStack/cluster-stacks
2 participants
@jschoone @DEiselt