Skip to content
This repository has been archived by the owner on Feb 9, 2022. It is now read-only.

oauth2-proxy: provider "keycloak" breaks authentication to Kubeapps and Kubernetes-dashboard #1065

Open
floek opened this issue Jan 23, 2021 · 1 comment
Open

oauth2-proxy: provider "keycloak" breaks authentication to Kubeapps and Kubernetes-dashboard #1065

floek opened this issue Jan 23, 2021 · 1 comment

Comments

@floek
Copy link

floek commented Jan 23, 2021

Hi,

I tried to use kubeprods oauth2-proxy to authenticate bitnami/kubeapps and Kubernetes-dashboard. After some analysis I found, oauth2-proxy with --provider=keycloak is not usable for this task, because it is not possible to add an authentication bearer token header to the http requests, which is needed for those apps.

References:

So it maybe a good idea to switch to --provider=oidc in kubeprod to support this.
For everyone interested in this task: Here are my options, needed to successfully authenticate to Kubernetes dashboard with keycloak / oauth2-proxy:

OIDC options for kube-apiserver:

    --oidc-client-id=bkpr
    --oidc-groups-claim=groups
    --oidc-issuer-url=https://id.kubeprod.domain/auth/realms/BKPR
    --oidc-username-claim=preferred_username

In keycloak add a role, for example "my-custer-admin-role", and add it to a user.

Clusterrolebinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: oidc-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: my-custer-admin-role

Options for oauth2-proxy:

--provider=oidc
--oidc-issuer-url=https://id.kubeprod.domain/auth/realms/BKPR
--set-authorization-header=true

Annotations for kubernetes-dashboard nginx-ingress:

    nginx.ingress.kubernetes.io/auth-signin: https://auth.kubeprod.domain/oauth2/start?rd=%2F$server_name$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-url: https://auth.kubeprod.domain/oauth2/auth

    # important to add the Authorization: Bearer header:
    nginx.ingress.kubernetes.io/auth-response-headers: Authorization

Cheers,
floek
@javsalgar
Copy link
Contributor

Hi,

Thank you very much for the input! I will forward this for evaluation.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@javsalgar @floek