• Stars
    star
    201
  • Rank 194,491 (Top 4 %)
  • Language
    Go
  • License
    MIT License
  • Created about 8 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Helper tool for authenticating to Kubernetes using Google's OpenID Connect

Docker Build Status Build Status

k8s-oidc-helper

This is a small helper tool to get a user get authenticated with Kubernetes OIDC using Google as the Identity Provider.

Given a ClientID and ClientSecret, the tool will output the necessary configuration for kubectl that you can add to ~/.kube/config

$ k8s-oidc-helper -c ./client_secret.json
Enter the code Google gave you: <code>

# Add the following to your ~/.kube/config
users:
- name: [email protected]
  user:
    auth-provider:
      config:
        client-id: <client-id>
        client-secret: <client-secret>
        id-token: <id-token>
        idp-issuer-url: https://accounts.google.com
        refresh-token: <refresh-token>
      name: oidc

To merge the new configuration into your existing kubectl config file, run:

$ k8s-oidc-helper -c ./client_secret.json --write
Enter the code Google gave you: <code>

Configuration has been written to ~/.kube/config

# Then you can associate that user to a cluster
$ kubectl config set-context <context-name> --cluster <cluster-name> --user <[email protected]>
$ kubectl config use-context <context-name>

Setup

There is a bit of setup involved before you can use this tool.

First, you'll need to create a project and OAuth 2.0 Credential in the Google Cloud Console. You can follow this guide on creating an application, but do NOT create a web application. You'll need to select "Other" as the Application Type. Once that is created, you can download the ClientID and ClientSecret as a JSON file for ease of use.

Second, your kube-apiserver will need the following flags on to use OpenID Connect.

--oidc-issuer-url=https://accounts.google.com \
--oidc-username-claim=email \
--oidc-client-id=<Your client ID>\

Role-Based Access Control

If you are using RBAC as your --authorization-mode, you can use the following ClusterRole and ClusterRoleBinding for administrators that need cluster-wide access.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admin-role
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
  nonResourceURLs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admin-binding
subjects:
- kind: User
  name: [email protected]
roleRef:
  kind: ClusterRole
  name: admin-role

Installation

go get github.com/micahhausler/k8s-oidc-helper

Usage

Usage of k8s-oidc-helper:
      --client-id string       The ClientID for the application
      --client-secret string   The ClientSecret for the application
  -c, --config string          Path to a json file containing your application's ClientID and ClientSecret. Supercedes the --client-id and --client-secret flags.
      --file ~/.kube/config    The file to write to. If not specified, ~/.kube/config is used
  -o, --open                   Open the oauth approval URL in the browser (default true)
  -v, --version                Print version and exit
  -w, --write                  Write config to file. Merges in the specified file

License

MIT License. See License for full text

More Repositories

1

container-transform

Transforms docker-compose, ECS, and Marathon configurations
Python
1,395
star
2

rabbitmq-compose

RabbitMQ running on docker
145
star
3

graylog-compose

Graylog running on docker
70
star
4

go-ftp

A simple ftp server written in go
Go
43
star
5

homelab

Homelab setup
Go
33
star
6

consul-demo

A demo for consul
Jupyter Notebook
31
star
7

logspout-gelf

Logspout Adapter for Graylog's GELF
Go
28
star
8

aws-iam-policy

AWS IAM policy in Go
Go
12
star
9

container-tx

container-transform in go
Go
11
star
10

loco

Docker Login Compressor
Go
7
star
11

reinvent23-con335

AWS re:Invent CON335: Securing Kubernetes Workloads in Amazon EKS
TypeScript
7
star
12

consul-uwsgi-healthcheck

A health check script for consul to PING/PONG a uwsgi server
Go
7
star
13

jwtdecode

CLI JWT Decoder
Go
6
star
14

reinforce-grc302

re:Inforce 2019 EKS Workshop
Shell
5
star
15

mesos-docker

Mesos running in Docker
Shell
4
star
16

docker-postgres-cert

A Dockerfile with a certificate generation script
Shell
3
star
17

route53-dynamic-dns

A simple DNS updater
Go
3
star
18

rpi-automation

RaspberryPi Automation
Shell
3
star
19

k8s-signal-logger

A tool for observing Kubernetes healthchecks and signals
Go
2
star
20

chadev-prometheus-demo

2
star
21

aws-monitor

AWS Cloudwatch Monitor script
Python
2
star
22

go-template

A template for new golang projects
Go
1
star
23

es-proxy

Go
1
star
24

python3-utils

A collection of useful python3 utilities
Python
1
star
25

lightning

Lightning Talks
Python
1
star
26

docker-zk-exhibitor

Exhibitor + Zookeeper in Docker
Shell
1
star
27

ssh2ec2

SSH to EC2 instances using tags and metadata to select the target instance
Python
1
star
28

django-app-upgrade-guide

A guide for upgrading 3rd party django apps from 1.6 to 1.7
1
star
29

avayafmt

Quick and dirty listener for Avaya's "unformatted" CDR report
Go
1
star
30

vagrant-demo

Demo Vagrant project
Shell
1
star
31

debate-word-cloud

A word cloud generator for presidential debates
1
star
32

youngprogrammer.ninja

Where young programming ninjas are born
Go
1
star
33

utmptail

Emit utmp files as JSON
Go
1
star
34

ipython-go-kernel

A play.golang.org kernel for IPython
Python
1
star
35

ipython_notebook_docker

ipython notebook running in docker
Shell
1
star
36

pycharm-coverage

Pycharm coverage demo
Python
1
star
37

httpsig-scratch

Scratch project for RFC9421 prototyping
Go
1
star
38

docker-saltminion

Dockerfile for bootstrapping a salt minion that runs in a docker container
Shell
1
star
39

consul-registration

A container for registering consul
Go
1
star