Dashboard authentication using Keycloak

Steps to install OIDC authenticator and setup authentication

  1. install keycloak
curl -LO https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml
# above file has keycloak service as LoadBalancer. Please change the same to ClusterIP
kubectl apply -f keycloak.yaml
  1. create realm, client, users and group in keycloak. Optionally, you can also connect to another OIDC server to delegate authentication.
  2. Assign custom mappers for client scope "email" to add a) groups of type "Group membership" for "groups" claim a) audience for "aud" claim
  3. Enable OIDC authentication in KOPS
kops edit cluster ${NAME}
# add below 
spec:
   kubeAPIServer:
     oidcClientID: k8s-dashboard
     oidcGroupsClaim: groups
     oidcIssuerURL: https://keycloak.kops.dh4r4pvj.ga/auth/realms/k8s-user
     oidcUsernameClaim: email

# save the changes
kops update cluster ${NAME} --yes
kops rolling-update cluster --cloudonly --yes
  1. deploy kubernetes dashboard and keycloak-proxy, clusterroles and clusterrolebinding
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml
kubectl apply -f dashboard-proxy.yaml # this file is present in same directory in github
  1. Login as adm and regular user (no good way to logout)
  2. Profit!!

References:

  1. https://itnext.io/protect-kubernetes-dashboard-with-openid-connect-104b9e75e39c
  2. https://medium.com/@int128/kubectl-with-openid-connect-43120b451672
  3. https://devopstales.github.io/sso/k8s-dasboard-auth/
Categories
  • Keycloak
  • authentication
  • dashboard
  • oidc
  • authorization