Professional Documents
Culture Documents
! HOME (HTTP://BLOG.INKUBATE.IO)
"
Requirements
You will need an ISO of Windows Server 2016 and an IP on your network for the
Active Directory server. In my case, this IP will be 10.10.40.5/24. You will also need
a working Kubernetes cluster, and the nodes of this cluster should be able to
communicate with the Active Directory IP.
You will also need a domain name that supports wildcard DNS entry. I will use the
wildcard DNS "*.k8s.inkubate.io" to route external traffic to my Kubernetes cluster.
If your Kubernetes cluster is on-prem, like mine, you will need a load balancer to
route the external traffic to your Kubernetes services. I suggest that you install
MetalLB (https://metallb.universe.tf/) on your cluster for this. You can refer to the
Install and configure MetalLB as a load balancer for Kubernetes
(https://blog.inkubate.io/install-and-configure-metallb-as-a-load-balancer-for-
kubernetes/) article.
∠
2 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
Your Kubernetes cluster should have a working certificate manager
(https://github.com/jetstack/cert-manager) to automatically sign SSL certificates
via Let's Encrypt. If you don't have one yet, you can refer to the Automatically
generate signed SSL certificates for your Kubernetes web applications
(https://blog.inkubate.io/generate-automatically-ssl-certificates-for-your-
kubernetes-services/) article.
∠
3 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
4 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
5 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
6 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
7 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
8 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
9 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
10- Choose to boot normally and press a key to boot on the Windows Server 2016
ISO.
∠
10 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
11 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
13- Choose the type of installation and accept the license terms.
∠
12 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
13 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
14 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
18- Right-click on the network card and "open the network and sharing center".
∠
15 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
16 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
17 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
23- Enable the remote desktop connection for the local server.
∠
18 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
24- You should now be able to access your Windows Server 2016 with a remote
desktop connection.
∠
19 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
25- Go back to the VMware vSphere client and install the VMware tools.
26- Go back to your remote desktop connection and launch the VMware tools
installer.
∠
20 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
21 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
22 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
23 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
24 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
25 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
29- When the machine is up, add your Windows Server 2016 license.
∠
26 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
27 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
28 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
29 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
30 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
31 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
32 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
33 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
34 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
35 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
36 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
37 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
38 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
39 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
40 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
41 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
42 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
43 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
44 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
45 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
46 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
47 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
48 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
49 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
50 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
51 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
52 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
4- Fill the user information, select the password policy and click on OK.
∠
53 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
Deploy Dex
Dex is an OpenID Connect provider that will be in charge of our authentication.
∠
54 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
We will use Active Directory as a backend for Dex, but there are many other
backend solutions to choose from.
$ vim dex-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: auth-system
∠
55 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
$ vim dex-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dex
namespace: auth-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: dex
namespace: auth-system
rules:
- apiGroups: ["dex.coreos.com"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex
namespace: auth-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dex
subjects:
- kind: ServiceAccount
name: dex
namespace: auth-system
5- Create a dex-configmap.yaml file. Modify the issuer URL, the redirect URIs, the
client secret and the Active Directory configuration accordingly.
∠
56 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
$ vim dex-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: dex
namespace: auth-system
data:
config.yaml: |
issuer: https://auth.k8s.inkubate.io/
web:
http: 0.0.0.0:5556
frontend:
theme: custom
telemetry:
http: 0.0.0.0:5558
staticClients:
- id: oidc-auth-client
redirectURIs:
- 'https://kubectl.k8s.inkubate.io/callback'
- 'http://dashboard.k8s.inkubate.io/oauth2/callback'
name: 'oidc-auth-client'
secret: ***********
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: ad.inkubate.io:389
insecureNoSSL: true
insecureSkipVerify: true
bindDN: cn=Administrator,cn=Users,dc=inkubate,dc=io
bindPW: '***********'
userSearch:
baseDN: cn=Users,dc=inkubate,dc=io
filter: "(objectClass=user)"
username: sAMAccountName
idAttr: sAMAccountName
emailAttr: sAMAccountName
nameAttr: displayName
oauth2:
skipApprovalScreen: true
storage:
type: kubernetes
config:
∠
57 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
inCluster: true
6- Configure Dex.
∠
58 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
$ vim dex-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: dex
name: dex
namespace: auth-system
spec:
replicas: 1
selector:
matchLabels:
app: dex
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app: dex
revision: "1"
spec:
initContainers:
- name: dl-theme
image: alpine/git
command:
- git
- clone
- "https://github.com/sguyennet/dex-inkubate-branding.git"
- /theme
volumeMounts:
- name: theme
mountPath: /theme/
containers:
- command:
- /usr/local/bin/dex
- serve
- /etc/dex/cfg/config.yaml
image: quay.io/dexidp/dex:v2.17.0
imagePullPolicy: IfNotPresent
name: dex
ports:
∠
59 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
- containerPort: 5556
name: http
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/dex/cfg
name: config
- mountPath: /web/themes/custom/
name: theme
dnsPolicy: ClusterFirst
serviceAccountName: dex
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- configMap:
defaultMode: 420
items:
- key: config.yaml
path: config.yaml
name: dex
name: config
- name: theme
emptyDir: {}
8- Deploy Dex.
∠
60 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
$ vim dex-service.yaml
apiVersion: v1
kind: Service
metadata:
name: dex
namespace: auth-system
spec:
selector:
app: dex
ports:
- name: dex
port: 5556
protocol: TCP
targetPort: 5556
11- Create a dex-ingress.yaml file. Change the host parameters and your certificate
issuer name accordingly.
∠
61 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
$ vim dex-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dex
namespace: auth-system
annotations:
kubernetes.io/tls-acme: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-production"
ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- secretName: dex
hosts:
- auth.k8s.inkubate.io
rules:
- host: auth.k8s.inkubate.io
http:
paths:
- backend:
serviceName: dex
servicePort: 5556
13- Wait a couple of minutes until the cert manager generates a certificate for Dex
and check that Dex is deployed properly by browsing to
https://auth.k8s.inkubate.io/.well-known/openid-configuration
(https://auth.k8s.inkubate.io/.well-known/openid-configuration).
$ ssh sguyennet@10.10.40.30
2- Edit the Kubernetes API configuration. Add the OIDC parameters and modify
the issuer URL accordingly.
- --oidc-issuer-url=https://auth.k8s.inkubate.io/
- --oidc-client-id=oidc-auth-client
- --oidc-username-claim=email
- --oidc-groups-claim=groups
...
Deploy Gangway
Gangway is a web interface made by Heptio. It will allow us to configure kubectl
with our user settings.
2- Create a gangway-configmap.yaml file. Modify the cluster name, the URLs, and
the client secret accordingly. For the client secret, use the same secret that you
specified in the Dex configmap during the previous step.
∠
63 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
$ vim gangway-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: gangway
namespace: auth-system
data:
gangway.yaml: |
clusterName: "Inkubate"
apiServerURL: "https://10.10.40.33:6443"
authorizeURL: "https://auth.k8s.inkubate.io/auth"
tokenURL: "https://auth.k8s.inkubate.io/token"
clientID: "oidc-auth-client"
clientSecret: "***********"
redirectURL: "https://kubectl.k8s.inkubate.io/callback"
scopes: ["openid", "profile", "email", "offline_access"]
usernameClaim: "email"
emailClaim: "email"
3- Configure Gangway.
∠
64 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
$ vim gangway-deployment.yaml
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: gangway
namespace: auth-system
labels:
app: gangway
spec:
replicas: 1
selector:
matchLabels:
app: gangway
strategy:
template:
metadata:
labels:
app: gangway
revision: "1"
spec:
containers:
- name: gangway
image: gcr.io/heptio-images/gangway:v2.0.0
imagePullPolicy: Always
command: ["gangway", "-config", "/gangway/gangway.yaml"]
env:
- name: GANGWAY_SESSION_SECURITY_KEY
valueFrom:
secretKeyRef:
name: gangway-key
key: sesssionkey
ports:
- name: http
containerPort: 8080
protocol: TCP
resources:
requests:
cpu: "100m"
memory: "100Mi"
limits:
cpu: "100m"
memory: "100Mi"
volumeMounts:
- name: gangway
∠
65 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
mountPath: /gangway/
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 20
timeoutSeconds: 1
periodSeconds: 60
failureThreshold: 3
readinessProbe:
httpGet:
path: /
port: 8080
timeoutSeconds: 1
periodSeconds: 10
failureThreshold: 3
volumes:
- name: gangway
configMap:
name: gangway
∠
66 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
$ vim gangway-service.yaml
kind: Service
apiVersion: v1
metadata:
name: gangway-svc
namespace: auth-system
labels:
app: gangway
spec:
type: ClusterIP
ports:
- name: "http"
protocol: TCP
port: 80
targetPort: "http"
selector:
app: gangway
∠
67 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
$ vim gangway-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: gangway
namespace: auth-system
annotations:
kubernetes.io/tls-acme: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-production"
ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- secretName: gangway
hosts:
- kubectl.k8s.inkubate.io
rules:
- host: kubectl.k8s.inkubate.io
http:
paths:
- backend:
serviceName: gangway-svc
servicePort: http
10- Wait a couple of minutes while the certificate manager generates a SSL
certificate for Gangway and browse to https://kubectl.k8s.inkubate.io
(https://kubectl.k8s.inkubate.io)
∠
68 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
∠
69 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
13- Copy your cluster administrator configuration.
$ cd ~/.kube
$ cp config admin-config
15- You should now be logged in with your Active Directory user and you should be
able to list the pods in the default namespace, but not in the kube-system
namespace.
∠
71 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
$ vim kubernetes-dashboard.yaml
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
$ vim oauth2-proxy-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: auth-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: oauth2-proxy
template:
metadata:
labels:
k8s-app: oauth2-proxy
spec:
containers:
- args:
- --cookie-secure=false
- --provider=oidc
- --client-id=oidc-auth-client
- --client-secret=***********
- --oidc-issuer-url=https://auth.k8s.inkubate.io/
- --http-address=0.0.0.0:8080
- --upstream=file:///dev/null
- --email-domain=*
- --set-authorization-header=true
env:
# docker run -ti --rm python:3-alpine python -c 'import secrets,base6
- name: OAUTH2_PROXY_COOKIE_SECRET
value: ***********
image: sguyennet/oauth2-proxy:header-2.2
imagePullPolicy: Always
name: oauth2-proxy
ports:
- containerPort: 8080
protocol: TCP
∠
77 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
4- Deploy the Oauth2 proxy.
$ vim oauth2-proxy-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: auth-system
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
k8s-app: oauth2-proxy
7- Create a dashboard-ingress.yaml file. Modify the dashboard URLs and the host
parameter accordingly.
∠
78 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
$ vim dashboard-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kube-system
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://dashboard.k8s.inkuba
nginx.ingress.kubernetes.io/auth-signin: "https://dashboard.k8s.ink
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $token $upstream_http_authorization;
proxy_set_header Authorization $token;
spec:
rules:
- host: dashboard.k8s.inkubate.io
http:
paths:
- backend:
serviceName: kubernetes-dashboard
servicePort: 443
path: /
∠
79 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
$ vim oauth2-proxy-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/tls-acme: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-production"
ingress.kubernetes.io/force-ssl-redirect: "true"
name: oauth-proxy
namespace: auth-system
spec:
rules:
- host: dashboard.k8s.inkubate.io
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 8080
path: /oauth2
tls:
- hosts:
- dashboard.k8s.inkubate.io
secretName: kubernetes-dashboard-external-tls
∠
80 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
13- You should be able to see and modify the default namespace, but not the other
ones.
∠
81 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
Conclusion
Success! You are now able to access your Kubernetes cluster, in a user-friendly
fashion, both with the kubectl command line and with the dashboard.
$ (https://twitter.com
/share?text=Access%20your%20Kubernetes%20cluster%
url=https://blog.inkubate.io/access-your-
kubernetes-cluster-with-your-active-directory-
credentials/) % (https://www.facebook.com/sharer
/sharer.php?u=https://blog.inkubate.io/access-
your-kubernetes-cluster-with-your-active-
directory-credentials/) + (https://plus.google.com
/share?url=https://blog.inkubate.io/access-your-
kubernetes-cluster-with-your-active-directory-
credentials/)
∠ PREVIOUS (/GENERATE-AUTOMATICALLY-SSL-CERTIFICATES-FOR-YOUR-
KUBERNETES-SERVICES/)
Automatically generate signed SSL certificates for your Kubernetes web applications
(/generate-automatically-ssl-certificates-for-your-kubernetes-services/)
NEXT ∠ (/INSTALL-AND-CONFIGURE-CHEF-ON-UBUNTU-16-04/)
Install and configure Chef server 12 on Ubuntu 16.04 (/install-and-configure-chef-on-
ubuntu-16-04/)
∠
82 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
Author
Comments
∠
83 of 85 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
What do you think?
6 Responses
28 Comments blog.inkubate.io !
1 Login
Name
△ ▽ • Reply • Share ›
The "secret" parameter for the "oidc-auth-client" will be used later by other components
(Oauth proxy and Gangway) to talk to Dex. Choose whatever you want for now but
remember the secret for the configuration of the Oauth proxy and of Gangway.
The "bindPW" is the password of the "bindDN" which in our case is the Administrator
user of the Windows server.
Regards,
∠
84 of 85 Simon. 07/08/19, 7:17 AM
Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
) Creative Commons
∠
85 of 85 07/08/19, 7:17 AM