jetstack/kube-oidc-proxy jetstack/kube-oidc-proxy

  • Stars
    star
    476
  • Rank 89,394 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 5 years ago
  • Updated about 1 month ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
jetstack/kube-oidc-proxy
github

jetstack

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Reverse proxy to authenticate to managed Kubernetes API servers via OIDC.

kube-oidc-proxy

⚠️

kube-oidc-proxy is an experimental tool that we would like to get feedback on from the community. Jetstack makes no guarantees on the soundness of the security in this project, nor any suggestion that it's 'production ready'. This server sits in the critical path of authentication to the Kubernetes API.

⚠️

kube-oidc-proxy is a reverse proxy server to authenticate users using OIDC to Kubernetes API servers where OIDC authentication is not available (i.e. managed Kubernetes providers such as GKE, EKS, etc).

This intermediary server takes kubectl requests, authenticates the request using the configured OIDC Kubernetes authenticator, then attaches impersonation headers based on the OIDC response from the configured provider. This impersonated request is then sent to the API server on behalf of the user and it's response passed back. The server has flag parity with secure serving and OIDC authentication that are available with the Kubernetes API server as well as client flags provided by kubectl. In-cluster client authentication is also available when running kube-oidc-proxy as a pod.

Since the proxy server utilises impersonation to forward requests to the API server once authenticated, impersonation is disabled for user requests to the API server.

The following is a diagram of the request flow for a user request. kube-oidc-proxy request flow

Tutorial

Directions on how to deploy OIDC authentication with multi-cluster can be found here. or there is a helm chart.

Quickstart

Deployment yamls can be found in ./deploy/yaml and will require configuration to an exiting OIDC issuer.

This quickstart demo will assume you have a Kubernetes cluster without OIDC authentication, as well as an OIDC client created with your chosen provider. We will be using a Service with type LoadBalancer to expose it to the outside world. This can be changed depending on what is available and what suites your set up best.

Firstly deploy kube-oidc-proxy and it's related resources into your cluster. This will create it's Deployment, Service Account and required permissions into the newly created kube-oidc-proxy Namespace.

$ kubectl apply -f ./deploy/yaml/kube-oidc-proxy.yaml
$ kubectl get all --namespace kube-oidc-proxy

This deployment will fail until we create the required secrets. Notice we have also not provided any client flags as we are using the in-cluster config with it's Service Account.

We now wait until we have an external IP address provisioned.

$ kubectl get service --namespace kube-oidc-proxy

We need to generate certificates for kube-oidc-proxy to securely serve. These certificates can be generated through cert-manager, more information about this project found here.

Next, populate the OIDC authenticator Secret using the secrets given to you by your OIDC provider in ./deploy/yaml/secrets.yaml. The OIDC provider CA will be different depending on which provider you are using. The easiest way to obtain the correct certificate bundle is often by opening the providers URL into a browser and fetching them there (typically output by clicking the lock icon on your address bar). Google's OIDC provider for example requires CAs from both https://accounts.google.com/.well-known/openid-configuration and https://www.googleapis.com/oauth2/v3/certs.

Apply the secret manifests.

kubectl apply -f ./deploy/yaml/secrets.yaml

You can restart the kube-oidc-proxy pod to use these new secrets now they are available.

kubectl delete pod --namespace kube-oidc-proxy kube-oidc-proxy-*

Finally, create a Kubeconfig to point to kube-oidc-proxy and set up your OIDC authenticated Kubernetes user.

apiVersion: v1
clusters:
- cluster:
    certificate-authority: *
    server: https://[url|ip:443]
  name: *
contexts:
- context:
    cluster: *
    user: *
  name: *
kind: Config
preferences: {}
users:
- name: *
  user:
    auth-provider:
      config:
        client-id: *
        client-secret: *
        id-token: *
        idp-issuer-url: *
        refresh-token: *
      name: oidc

Configuration

Development

NOTE: building kube-oidc-proxy requires Go version 1.12 or higher.

To help with development, there is a suite of tools you can use to deploy a functioning proxy from source locally. You can read more here.

More Repositories

1

kube-lego

DEPRECATED: Automatically request certificates for Kubernetes Ingress resources from Let's Encrypt
Go
2,163
star
2

version-checker

Kubernetes utility for exposing image versions in use, compared to latest available upstream, as metrics.
Go
649
star
3

navigator

Managed Database-as-a-Service (DBaaS) on Kubernetes
Go
271
star
4

tarmak

A toolkit for Kubernetes cluster provisioning and lifecycle management
Go
269
star
5

jetstack-secure

Open source components of Jetstack Secure
Go
251
star
6

paranoia

Inspect certificate authorities in container images
Go
218
star
7

terraform-google-gke-cluster

A Terraform module to create a best-practise Google Kubernetes Engine (GKE) cluster.
HCL
160
star
8

vault-unsealer

Vault Unseal automation
Go
129
star
9

cni-migration

A CLI to migrate the CNI on a Kubernetes cluster from Canal (Calico + Flannel) to Cilium, live with no downtime.
Go
72
star
10

google-cas-issuer

cert-manager issuer for Google CA Service
Makefile
70
star
11

getting-started-kubernetes

Getting Started with Kubernetes Workshop
Go
63
star
12

kubebuilder-sample-controller

k8s.io/sample-controller written with kubebuilder v2
Go
59
star
13

okta-kubectl-auth

Go
40
star
14

kustomize-cert-manager-demo

Demo using Kustomize for per-environment deployment of cert-manager
26
star
15

vault-helper

Vault helper script
Go
22
star
16

letsencrypt-caa-bug-checker

Tool to check your Kubernetes cluster for certificates affected by Let's Encrypt's CAA rechecking bug
Go
21
star
17

cert-manager-nginx-plus-lab

Lab demonstrating cert-manager, nginx-plus and Venafi
Shell
19
star
18

knet-stress

A simple networking stress test introspective for Kubernetes.
Go
18
star
19

elasticsearch-pet

An elasticsearch image for kubernetes PetSets
Shell
18
star
20

dependency-track-exporter

Go
17
star
21

tally

Go
14
star
22

cert-manager-external-issuer-example

An example repository implementing an external LocalCA issuer type
Go
9
star
23

tekton-demo

Demonstration of Tekton pipelines to supplement our blog post
Jsonnet
8
star
24

airworthy

Go
7
star
25

ingress-yubikey

Experimental Kubernetes Ingress Controller using a Yubikey for an HSM
Go
2
star
26

spiffe-workload-identity-demo

Demo of using cert-manager SPIFFE for for workload identity
Go
2
star
27

spiffe-connector

Using SPIFFE Verifiable Identity Documents to seamlessly authenticate to existing services.
Go
2
star
28

jsctl

CLI tool for Jetstack Secure
Go
2
star
29

cassandra-kubernetes-seed-provider

Java
2
star
30

service-mesh-con-2021-service-identity

Scripts that I used in demos for the 2021 ServiceMeshCon talk; Service Identity - The Key to Zero Trust with
Shell
1
star
31

ubuntu-nsenter

Image containing nsenter, required when running minikube on travis with helm
1
star
32

puppet-module-kubernetes_addons

Puppet module for Kubernetes cluster addons
Ruby
1
star
33

puppet-module-calico

Puppet module for Calico overlay network
Ruby
1
star
34

slingshot-cp-ansible-k8s-coreos

Slingshot config-provider for setting up Kubernetes on CoreOS using Ansible
Python
1
star
35

puppet-module-etcd

Puppet module for Etcd
Ruby
1
star
36

jetstack-secure-gcm

Contains configuration and user guide for the Jetstack Secure for cert-manager offering on the Google Cloud Marketplace.
Mustache
1
star
37

jwt-registry-auth

Go
1
star
38

vcert

Go client SDK and command line utility designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.
Go
1
star