Source: medium.com
Single Sign-On for KubernetesCategory: Kubernetes, nginx, ansible
Eventually, we found a good working setup that we will be sharing with you. The SSO experience we wanted was driven by the following needs: In order to allow the Dashboard to delegate authentication, we need to configure an Azure app, deploy the OAuth2_Proxy into the K8S cluster and instruct it how to pass Dashboard authentications requests to Azure.1- On Azure portal, go to App registrations and fill in the Name and Redirect URI in the form of https://chosen_dashboard_fqdn/oauth2/callback2- Create a New client secret for it.
3- As an admin, grant consent on behalf of your organization when OAuth2_Proxy is trying to connect to the Azure webapp.
just skip this step.If it is signed by an on-premise CA, you will need to create a ConfigMap for your CA certificate so does the K8S cluster consider it as a legit CA and mount it in OAuth2_Proxy Pod: Apply OAuth2_Proxy’s Deployment manifest: Create and apply OAuth2_Proxy’s Service manifest Create a K8S Secret with the TLS certificate for your custom Dashboard’s URL domain: Edit and apply the Dashboard’s Ingress manifest: Note: Since we work with multiple versions of nginx-ingress, we had to use the if statement above in ansible-playbooks because of api deprecations in kube 1.16.
After providing the code to the URL (both displayed in the terminal), you should see the result of the previous command.Today we saw how to use Azure AD authentication capabilities to leverage Single Sign On for Kubernetes dashboards and kubectl use.
3- As an admin, grant consent on behalf of your organization when OAuth2_Proxy is trying to connect to the Azure webapp.
just skip this step.If it is signed by an on-premise CA, you will need to create a ConfigMap for your CA certificate so does the K8S cluster consider it as a legit CA and mount it in OAuth2_Proxy Pod: Apply OAuth2_Proxy’s Deployment manifest: Create and apply OAuth2_Proxy’s Service manifest Create a K8S Secret with the TLS certificate for your custom Dashboard’s URL domain: Edit and apply the Dashboard’s Ingress manifest: Note: Since we work with multiple versions of nginx-ingress, we had to use the if statement above in ansible-playbooks because of api deprecations in kube 1.16.
After providing the code to the URL (both displayed in the terminal), you should see the result of the previous command.Today we saw how to use Azure AD authentication capabilities to leverage Single Sign On for Kubernetes dashboards and kubectl use.
Related Articles
Community Partners
DevOps Careers