kube-oidc-proxy
pinniped
Our great sponsors
kube-oidc-proxy | pinniped | |
---|---|---|
5 | 5 | |
474 | 506 | |
3.2% | 1.6% | |
1.8 | 9.6 | |
10 days ago | 6 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
kube-oidc-proxy
-
Windows auth with K8s on prem
It is sort of a roundabout way, but I sync Active Directory to a Keycloak realm, then use OIDC auth with kube-oidc-proxy (https://github.com/jetstack/kube-oidc-proxy) and kubelogin (https://github.com/int128/kubelogin) for OIDC-based auth to the api server.
-
Kubernetes in production.
Yes, I setup a cluster with no SPFs. That means an HA setup for the external load balancer. I use HAProxy for my ELB, and setup 2 instances with a VRRP + keepalived to provide HA to the ingress controller. I run the control plane private, accessible only from localhost. I setup kube-oidc-proxy (https://github.com/jetstack/kube-oidc-proxy) to expose the API server with single sign-on on the ingress controller, and use the kubelogin plugin (https://github.com/int128/kubelogin) to provide OIDC support to kubectl. I then setup Keycloak to handle OIDC/OAuth2/SAML and syncing to Active Directory, and setup groups in Active Directory to control acccess to clusters. Devs each get their own namespace in the dev cluster, with mostly cluster-admin access to their namespace. Staging/Prod clusters are locked down, with read-only access to devs. Thanks to the OIDC auth to the APIServer, when employees are onboarded & offboarded, we only need to add/remove them from groups in Active Directory and everything else just magically syncs.
-
Why are there so many OIDC SSO options for Kubernetes?
kube-oidc-proxy (OIDC to Kubernetes API servers where OIDC authentication is not available)
-
RBAC MANAGEMENT
I use the kube-login plugin for kubectl (https://github.com/int128/kubelogin) along with the kube-oidc-proxy (https://github.com/jetstack/kube-oidc-proxy), using Keycloak as my OIDC provider (https://www.keycloak.org) and doing LDAP synchronization to Active Directory.
-
What is the biggest challenge you/your org faces while running k8s in production?
We use Keycloak for this purpose. We deploy an OIDC-proxy to the kube-api (https://github.com/jetstack/kube-oidc-proxy), then use the kubectl plugin 'kubelogin' (aka oidc-login if you use krew - https://github.com/int128/kubelogin). This gives us the ability to have no user secrets in our KUBECONFIG, and to use Keycloak's Active Directory/LDAP user & group federation to control access to clusters. With this, downloading the KUBECONFIG is self-service, and adding users to new clusters is as easy as adding them to a group in AD.
pinniped
-
infra alternatives - paralus and pinniped
3 projects | 7 Apr 2023
-
How to authenticate non azure managed cluster via azure ad?
Otherwise you may need to look at the 3rd party alternatives like Pinniped - https://pinniped.dev/. This is also something I found to be recommended by AKS team if you need different OIDC provider than Azure AD.
-
Why are there so many OIDC SSO options for Kubernetes?
pinniped
- Authentication options without access to kube-apiserver config?
- Pinniped
What are some alternatives?
kubelogin - kubectl plugin for Kubernetes OpenID Connect authentication (kubectl oidc-login)
dex - OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors
Keycloak - Open Source Identity and Access Management For Modern Applications and Services
ldapnomnom - Quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers by (ab)using LDAP Ping requests (cLDAP)
lens - Lens - The way the world runs Kubernetes
infra - Infra provides authentication and access management to servers and Kubernetes clusters.
authentik - The authentication glue you need.
dex - OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors [Moved to: https://github.com/dexidp/dex]
paralus - All-in-one Kubernetes access manager. User-level credentials, RBAC, SSO, audit logs.
idm - LibreGraph Identity Management