Kubernetes Authn/Authz with Google OIDC and RBAC

Intro

Overview:

Versions:

First: Create Google OAuth clientSecret and clientID

Next: Configure k8s api server for Google OIDC

# first create the k8s cluster with RBAC enabled
kops create cluster \
--authorization RBAC \
--name $CLUSTER \
--cloud aws \
--state $S3_STATE_STORE
# edit the cluster config and add OIDC data
kops edit cluster $CLUSTER --state $S3_STATE_STORE
kubeAPIServer:
authorizationRbacSuperUser: admin
oidcIssuerURL: https://accounts.google.com
oidcClientID: REDACTED.apps.googleusercontent.com
oidcUsernameClaim: email

Next: Create RBAC Roles and Rolebindings for Users

# system.yamlkind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: system:node--kubelet
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node
subjects:
- kind: User
name: kubelet
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-admin--kube-system:default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: default
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: system:node-proxier--kube-proxy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node-proxier
subjects:
- kind: User
name: kube-proxy
# dev.yaml
# Give devs full access to the development namespace.
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: development
name: dev-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dev-role-binding
subjects:
- kind: User
name: jessica@gmail.com
roleRef:
kind: Role
name: dev-role
apiGroup: rbac.authorization.k8s.io

Next: Authenticate via Google and get OIDC token

k8s-oidc-helper --client-id= REDACTED.apps.googleusercontent.com \
--client-secret=REDACTED \
--write=true
$ cat ~/.kube/configapiVersion: v1
kind: Config
preferences: {}
users:
- name: jessica@gmail.com
user:
auth-provider:
config:
client-id: REDACTED.apps.googleusercontent.com
client-secret: REDACTED
id-token: REDACTED
idp-issuer-url: https://accounts.google.com
refresh-token: REDACTED

Next: Update kubeconfig with a new cluster (with TLS cert) and a new context.

#!/bin/bash# get the name of the ca cert that kops created in the 
# state store s3 bucket
cert=$(aws s3 ls $S3_STATE_STORE/$CLUSTER/pki/issued/ca/ | awk '{print $4}')
# copy the ca cert locally for kubectl to reference
aws s3 cp $S3_STATE_STORE/$CLUSTER/pki/issued/ca/"$cert" ~/.kube/"$cert"
# create a cluster in kubeconfig
kubectl config set-cluster $CLUSTER \
--certificate-authority="$cert" \
--server=https://api."$CLUSTER"
# create a context for the oidc user in the kubconfig
kubectl config set-context $USER \
--cluster $CLUSTER \
--user $USER
$ kubectl config use-context $USER$ kubectl get all -n development
No resources found.

Resources I like:

Live simply. Program stuff.

Live simply. Program stuff.