Authenticate to Kubernetes with OIDC
So you've got a shiny Kubernetes cluster, and you're probably using the cluster-admin
config which was created as a result of the initial bootstrap.
While this hard-coded, cluster-admin
credential is OK while you're bootstrapping, and should be safely stored somewhere as a password-of-last-resort, you'll probably want to secure your cluster with something a little more... secure.
Consider the following downsides to a single, static, long-lived credential:
- It can get stolen
- It can't be shared (you might want to give your team access to the cluster, or even a limited subset of admin access)
- It can't be MFA'd
- Using it for the Kubernetes Dashboard (copying and pasting into a browser window) is a huge PITA
True to form, Kubernetes doesn't provide any turnkey access solution, but all the necessary primitives (RBAC, api-server arguments, etc) to build your own solution, starting with authenticating and authorizing access to the apiserver.
Requirements
Securing access to Kubernetes' API server requires an OIDC provider, be it an external service like Auth0 or Octa, or a self-hosted, open-source IDP like Keycloak or authentik.
Setup Provider
- Setup Authentik for Kubernetes API authentication
- Keycloak (coming soon)
Configure Kubernetes for OIDC auth
Once you've configured your OIDC provider, review the following, based on your provider and your Kubernetes platform:
Authentik
- Authenticate K3s with Authentik as an OIDC provider
- Authenticate EKS with Authentik as an OIDC provider
- Authenticate a kubeadm cluster using Authentik as an OIDC provider (coming soon)