Skip to content

Latest commit

 

History

History
98 lines (90 loc) · 2.98 KB

k3s.md

File metadata and controls

98 lines (90 loc) · 2.98 KB
title description published date tags editor dateCreated
K3s
Some tips related to k3s
true
2025-03-05 17:48:05 UTC
markdown
2024-05-03 05:59:39 UTC

K3s

Access embedded etcd

ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' \
ETCDCTL_CACERT='/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt' \
ETCDCTL_CERT='/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' \
ETCDCTL_KEY='/var/lib/rancher/k3s/server/tls/etcd/server-client.key' \
ETCDCTL_API=3 \
etcdctl member list

Source: https://gist.github.com/superseb/0c06164eef5a097c66e810fe91a9d408

Create user

See Luc Juggery's article Make sure to change the dave everywhere!

OIDC

Setup Authelia

Add an OIDC client to Authelia. The following shows an example using the official Helm chart. Of course, you can simply add the client by any other means. The client_secret approach can be found in my k8s-ops repo: https://github.com/SIMULATAN/k8s-ops/tree/main/auth/authelia

configMap:
  identity_providers:
    oidc:
      clients:
        - client_id: k8s-main
          client_name: Kubernetes Main
          client_secret:
          path: /secrets/authelia-oidc-secrets/CLIENT_SECRET_K8S-MAIN
          public: true
          pre_configured_consent_duration: 69y
          authorization_policy: two_factor
          redirect_uris:
            - http://localhost:8000
            # used if the port 8000 is already in use
            - http://localhost:18000
          scopes:
            - openid
            - profile
            - groups
            - email
          userinfo_signed_response_alg: none
          token_endpoint_auth_method: none

Setup Kubernetes

Add these kube apiserver args. In k3s, these can be altered by adding the following to /etc/rancher/k3s/config.yaml:

kube-apiserver-arg:
  - "oidc-issuer-url=https://auth.simulatan.me"
  - "oidc-client-id=k8s-main"
  - "oidc-username-claim=preferred_username"
  - "oidc-groups-claim=groups"
  # will prefix all groups coming from oidc with `oidc:`
  - "oidc-groups-prefix=oidc:"

Don't forget to create a role binding!

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: oidc-kubernetes-admin-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: Group
  name: oidc:kubernetes-admin

Setup kubectl

# `.config/kube/config` is the path to your kubeconfig file
kubectl config --kubeconfig .config/kube/config set-credentials oidc-user \
	--exec-api-version="client.authentication.k8s.io/v1beta1" \
	--exec-command="kubectl" \
	--exec-arg="oidc-login" \
	--exec-arg="get-token" \
	--exec-arg="--oidc-issuer-url=https://auth.simulatan.me" \
	--exec-arg="--oidc-client-id=k8s-main" \
	--exec-arg="--oidc-extra-scope=openid profile email groups"

Lastly, update your existing context to use this oidc-user.