I have installed kubernetes with minikube in ubuntu 16.04.
I want to know how i can integrate openid-connect based authentication with it. I am new to kubernetes. So any suggestion on how to configure would help.
I am currently accessing the dashboard with "minikube dashboard" command. But i dont seem to find any role specific login. The K8S guide has the below config section,
kubectl config set-credentials USER_NAME \
--auth-provider=oidc \
--auth-provider-arg=idp-issuer-url=( issuer url ) \
--auth-provider-arg=client-id=( your client id ) \
--auth-provider-arg=client-secret=( your client secret ) \
--auth-provider-arg=refresh-token=( your refresh token ) \
--auth-provider-arg=idp-certificate-authority=( path to your ca certificate ) \
--auth-provider-arg=id-token=( your id_token ) \
--auth-provider-arg=extra-scopes=( comma separated list of scopes to add to "openid email profile", optional )
Can someone tell me how i can get values for
1. Issuer URL
2. Refresh token
3. Id-token
4. Extra-scope
I assume the client id and client secret are the ones we get when google credentials are created. Please correct me if I'm wrong.
The Kubernetes Authentication docs try to explain the different "authn" plugins. One of these is "OpenID Connect", which requires that you start up an "Identity Provider".
So when you tell kubectl to use --auth-provider=oidc, that's what you're using. The idp-issuer-url will point at your Identity Provider's HTTPS URL. They give different examples of implementations of this. CoreOS has one called Dex.
Their repo has some examples under: ./examples
An example of using LDAP connector plugin for dex is here
For more information about how Authentication is done in Kubernetes (e.g.: "What is authn?" "What is authz", etc...), there is a great presentation by Eric Chiang here.
So to answer your question:
Q: how i can get values for:
Issuer URL
Refresh token
Id-token
Extra-scope
A: Set up Dex, then authenticate to it using the "Login" app (with some backend such as LDAP in example). Then it redirects you to a page with a ~/.kube/config file with a user which has all of these items.
Related
I tried to implement Keycloak direct naked impersonation from documentation, but in the end I got the error:
"error": "access_denied",
"error_description": "Client not allowed to exchange"
This is the Postman setup, with the admin-cli, clientId and with the user, justin, that I want to get the token for, that exists in the Users section.
The admin-cli secret that I used in Postman:
I followed all the steps that are in the Keycloak Direct Naked Impersonation documentation.
Toggle Users Permissions Enabled to On.
Define a policy for this permission.
Add the client policy, "client-impersonators" in my case, to the users' impersonation permission
This is the request setup that Keycloak recommads to have this direct naked impersonation working. You saw this in my above Postman setup.
curl -X POST \
-d "client_id=starting-client" \
-d "client_secret=the client secret" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "requested_subject=wburke" \
http://localhost:8080/realms/myrealm/protocol/openid-connect/token
Inside Docker I have the setup for token_exchange=enabled and admin_fine_grained_authz=enabled
- name: "KEYCLOAK_EXTRA_ARGS"
value: "-Dkeycloak.profile.feature.admin=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled"
I searched days after days about this topic and I tested all the available options that are on internet right now, about this subject, but without any success.
Please anyone if this worked for you, be nice an share how you solved. Or at least please give some ideas, maybe I missed something.
New Policy created for user-impersonate, where I added the user Justin
Then inside the Permissions I added this Policy
The problem is that the documentation contains an image that is wrong, namely:
It should have been a Client Policy with the client admin-cli instead of the user admin.
For instance:
So, you need 2 policies/permissions:
impersonate (i.e., Policies that decide if administrator can impersonate other users), where you create a Client Policy and pass the client "admin-cli" (in your case);
user-impersonated (i.e., Policies that decide which users can be impersonated. These policies are applied to the user being impersonated), where you create a User Policy and pass the user "justin" (in your case).
Step-by-Step : KC 20.0.3 new UI
(Side note you should use other realm and client instead of the master and admin-cli at least in a production environment)
Enable the secret in the admin-cli:
go to master > clients > admin-cli
set Client authentication to ON
Create the two Policies: 1 Client Policy and 1 User Policy
go to master > clients > master-realm
click on the Authorization tab
click on the Policies sub-tab
click on Create policy, and then Client
name it something (e.g., Client-impersonator)
add admin-cli to the Client field and click Save
Repeat again the aforementioned steps, but this time create a User Policy for the user that will be impersonated (i.e., justin in your case)
Add the Policies to the corresponded scopes/permissions:
go to Users
go to the tab Permissions
set Permissions enabled to ON
click on impersonate
select the policy corresponded to the client admin-cli (e.g., policy named Client-impersonator)
click on Save
go again to Users
go to the tab Permissions
this time select user-impersonated
and select the policy for the impersonated user (i.e., justin)
Perform the request:
curl -X POST \
-d "client_id=admin-cli" \
-d "client_secret=8AEx99Ob4Hc8oricSGnii6x4Rs57g4ny" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "requested_subject=justin" \
http://0.0.0.0:8080/realms/master/protocol/openid-connect/token
Is it possible to configure a custom password for the Kubernetes dashboard when using eks without customizing "kube-apiserver"?
This URL mentions changes in "kube-apiserver"
https://techexpert.tips/kubernetes/kubernetes-dashboard-user-authentication/
In K8s, requests come as Authentication and Authorization (so the API server can determine if this user can perform the requested action). K8s dont have users, in the simple meaning of that word (Kubernetes users are just strings associated with a request through credentials). The credential strategy is a choice you make while you install the cluster (you can choose from x509, password files, Bearer tokens, etc.).
Without API K8s server automatically falls back to an anonymous user and there is no way to check if provided credentials are valid.
You can do something like : not tested
Create a new credential using OpenSSL
export NEW_CREDENTIAL=USER:$(echo PASSWORD | openssl passwd -apr1
-noverify -stdin)
Append the previously created credentials to
/opt/bitnami/kubernetes/auth.
echo $NEW_CREDENTIAL | sudo tee -a /opt/kubernetes/auth
Replace the cluster basic-auth secret.
kubectl delete secret basic-auth -n kube-system
kubectl create secret generic basic-auth --from-file=/opt/kubernetes/auth -n kube-system
I want to create base authentication in kubernetes. every document say that I should create CSV or file then enter the username and password in it. but I do not want to use file I want to some database or kubernetes handle it.
what can I do for base authentication?
You can based your authentication on tokens if you don't want to use static pasword file.
First option:
Service Account Tokens
A service account is an automatically enabled authenticator that uses signed bearer tokens to verify requests.
The plugin uses two flags(which are optional):
Service accounts are usually created automatically by the API server and associated with pods running in the cluster through the ServiceAccount Admission Controller. Bearer tokens are mounted into pods at well-known locations, and allow in-cluster processes to talk to the API server. Accounts may be explicitly associated with pods using the serviceAccountName field of a PodSpec.
Service account bearer tokens are perfectly valid to use outside the cluster and can be used to create identities for long standing jobs that wish to talk to the Kubernetes API. To manually create a service account, simply use the kubectl create serviceaccount (NAME) command. This creates a service account in the current namespace and an associated secret.
The created secret holds the public CA of the API server and a signed JSON Web Token (JWT).
The signed JWT can be used as a bearer token to authenticate as the given service account. See above for how the token is included in a request. Normally these secrets are mounted into pods for in-cluster access to the API server, but can be used from outside the cluster as well.
There is some drawbacks because service account tokens are stored in secrets, any user with read access to those secrets can authenticate as the service account. Be careful when granting permissions to service accounts and read capabilities for secrets.
Second:
Install OpenID Connect (full documentation you can find here: oidc).
OpenID Connect (OIDC) is a superset of OAuth2 supported by some service providers, notably Azure Active Directory, Salesforce, and Google. The protocol’s main addition on top of OAuth2 is a field returned with the access token called an ID Token. This token is a JSON Web Token (JWT) with well known fields, such as a user’s email, signed by the server.
To identify the user, the authenticator uses the id_token (not the access_token) from the OAuth2 token response as a bearer token.
Since all of the data needed to validate who you are is in the id_token, Kubernetes doesn’t need to “phone home” to the identity provider. In a model where every request is stateless this provides a very scalable solution for authentication.
Kubernetes has no “web interface” to trigger the authentication process. There is no browser or interface to collect credentials which is why you need to authenticate to your identity provider first.
There’s no easy way to authenticate to the Kubernetes dashboard without using the kubectl proxy command or a reverse proxy that injects the id_token.
More information you can find here: kubernetes-authentication.
I'm using openshift 3.11 and I have a very hard time figuring out how to setup permenant token for image pull and push.
After I do docker login it is ok, but eventually that token expires.
By the documentation it seems that services account : default ,builder should have access.
As you can see each of them have some default dockercfg:
Labels:
Annotations:
Image pull secrets: default-dockercfg-ttjml
Mountable secrets: default-token-q4x4w
default-dockercfg-ttjml
Tokens: default-token-729xq
default-token-q4x4w
Events:
default-dockercfg-ttjml, Which has really weird username and password. Read the documentation many times and still I can't understand how to setup a permanent token. Can someone explain me in a plain manner what is the procedure?
AFAIK, serviceAccount token does not expire until create it again. Look [0] for details. If you want to create docker authentication secret against external docker registry, refer [1] for details.
[0]Managing Service Accounts
The generated API token and registry credentials do not expire, but they can be revoked by deleting the secret.
[1]Allowing Pods to Reference Images from Other Secured Registries
$ oc create secret generic <pull_secret_name> \
--from-file=.dockerconfigjson=<path/to/.docker/config.json> \
--type=kubernetes.io/dockerconfigjson
I'm trying to get login/pass authentication working on Vault.
When I try the method given in the API documentation here: https://www.vaultproject.io/api/auth/userpass/index.html#login
I get this error:
$ curl --request POST --data #payload.json https://<myurl>:8200/v1/auth/userpass/login/<mylogin> -k
{"errors":["missing client token"]}
And I can't find information on this error. It makes me wonder what happens, because I want to authenticate with login/pass to get the token, so that's just normal to not have it.
Here is the content of the payload.json:
{
"password": "foo"
}
Is there any way to login with username/password? This is the only fallback method I have when the user does not know its token.
Thanks!
OK, so I figured it out by trials.
So the userpass AUTH was indeed disabled. I have to use LDAP auth. With the Vault-UI that is installed, I managed to find the URL to authenticate. If was the following : https://******:8200/v1/auth/<ldap>/login/<user>
And that way it's working.
Unfortunately, it does not help in the end. The idea was to synchronize Vault data locally, but the Vault API is really not built for that kind of access. It requires a LOT of requests, and end up being very slow for a few secrets synchronized.
Make sure you are logging in under the correct namespace. You will get this error if your authentication method is enabled under something other than the default namespace that your CLI tool is using.
You can specify the namespace with the -ns=my/namespace/ parameter or the VAULT_NAMESPACE environment variable.
For example, if your namespace is "desserts/icecream"
vault login -ns=desserts/icecream/ -method=userpass username=ian
# OR
export VAULT_NAMESPACE=desserts/icecream/
vault login -method=userpass username=ian
In my case, i was not setting the vault token to the right environment variable.
you have to set the value to VAULT_TOKEN so that it uses it in subsequent request my env variable was Vault_Token and due to this it was always saying missing client token.
By default, Vault checks for this environment variable to find the token.
vault kv get --field "ACCESS_KEY_ID" secret/my-secret