kubelogin
kubepug
Our great sponsors
kubelogin | kubepug | |
---|---|---|
13 | 9 | |
1,495 | 1,344 | |
- | 2.1% | |
8.8 | 8.6 | |
8 days ago | 10 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
kubelogin
-
Windows auth with K8s on prem
It is sort of a roundabout way, but I sync Active Directory to a Keycloak realm, then use OIDC auth with kube-oidc-proxy (https://github.com/jetstack/kube-oidc-proxy) and kubelogin (https://github.com/int128/kubelogin) for OIDC-based auth to the api server.
-
Kubernetes in production.
Yes, I setup a cluster with no SPFs. That means an HA setup for the external load balancer. I use HAProxy for my ELB, and setup 2 instances with a VRRP + keepalived to provide HA to the ingress controller. I run the control plane private, accessible only from localhost. I setup kube-oidc-proxy (https://github.com/jetstack/kube-oidc-proxy) to expose the API server with single sign-on on the ingress controller, and use the kubelogin plugin (https://github.com/int128/kubelogin) to provide OIDC support to kubectl. I then setup Keycloak to handle OIDC/OAuth2/SAML and syncing to Active Directory, and setup groups in Active Directory to control acccess to clusters. Devs each get their own namespace in the dev cluster, with mostly cluster-admin access to their namespace. Staging/Prod clusters are locked down, with read-only access to devs. Thanks to the OIDC auth to the APIServer, when employees are onboarded & offboarded, we only need to add/remove them from groups in Active Directory and everything else just magically syncs.
-
Getting started with kubectl plugins
Link to GitHub Repository
-
Why are there so many OIDC SSO options for Kubernetes?
kubelogin (helper for k8s build in OIDC support)
-
RBAC MANAGEMENT
I use the kube-login plugin for kubectl (https://github.com/int128/kubelogin) along with the kube-oidc-proxy (https://github.com/jetstack/kube-oidc-proxy), using Keycloak as my OIDC provider (https://www.keycloak.org) and doing LDAP synchronization to Active Directory.
-
k8s dex authentications
With a working dex/OIDC configuration, you could use: https://github.com/int128/kubelogin
-
What is the biggest challenge you/your org faces while running k8s in production?
We use Keycloak for this purpose. We deploy an OIDC-proxy to the kube-api (https://github.com/jetstack/kube-oidc-proxy), then use the kubectl plugin 'kubelogin' (aka oidc-login if you use krew - https://github.com/int128/kubelogin). This gives us the ability to have no user secrets in our KUBECONFIG, and to use Keycloak's Active Directory/LDAP user & group federation to control access to clusters. With this, downloading the KUBECONFIG is self-service, and adding users to new clusters is as easy as adding them to a group in AD.
-
How to Secure Your Kubernetes Cluster with OpenID Connect and RBAC
Before we can go ahead and test this out, we need to do some setup for kubectl so that it knows how to do OIDC authentication. We need to install kubelogin plugin for this. Go ahead and install it using any of the following commands.
-
Making Kubernetes Operations Easy with kubectl Plugins
kubelogin - If you're using OIDC provider such as Google, Keycloak or Dex for authenticating to Kubernetes cluster, then this plugin also known as oidc-login in krew can help you avoid having to manually login into your cluster over and over again. When you setup this plugin, every time you attempt to run any kubectl command without having valid authentication token, oidc-login will automatically open your provider's login page and after successful authentication grabs the token and logs you into the cluster. To see video of workflow check out the repository here.
kubepug
- Kubernetes upgrade
-
Kubernetes 1.21 - Going EOL on major cloud providers in early 2023
Also kubepug - https://github.com/rikatz/kubepug
-
Essential plugins for Kubectl CLI
References Kubepug net-forward Krew
-
Making Kubernetes Operations Easy with kubectl Plugins
kube-pug - is a plugin known as deprecations in krew. Every cluster needs to be upgraded sooner or later and at some point you will run into API deprecations and/or removals. Finding what's being deprecated can be long and error-prone process and this plugin tries to simplify that. All you need to do is run kubectl deprecations --k8s-version=v1.XX.X and you will get list of all the instances of API objects in cluster that will be deprecated or removed in the specified version.
-
SilverSurfer - An OpenSource project to check ApiVersion Status and provide Migration path for Kubernetes objects when upgrading Kubernetes to 1.22 or any other.
Kubepug - Only checks whether the existing objects have any Deprecated ApiVersions
What are some alternatives?
kube-no-trouble - Easily check your clusters for use of deprecated APIs
lens - Lens - The way the world runs Kubernetes
pam-keycloak-oidc - PAM module connecting to Keycloak for user authentication using OpenID Connect/OAuth2, with MFA/2FA/TOTP support
kubectl-neat - Clean up Kubernetes yaml and json output to make it readable
okta-k8s-oidc-terraform-example - An example repo showcasing setting up Okta OIDC using Terraform
ksniff - Kubectl plugin to ease sniffing on kubernetes pods using tcpdump and wireshark
kubeval - Validate your Kubernetes configuration files, supports multiple Kubernetes versions
kubectl-kubesec - Security risk analysis for Kubernetes resources
ketall - Like `kubectl get all`, but get really all resources
kube-oidc-proxy - Reverse proxy to authenticate to managed Kubernetes API servers via OIDC.
dex - OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors