Access Your Kubernetes Cluster With Your Active Directory Credentials PDF

Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...
! HOME (HTTP://BLOG.INKUBATE.IO)
"
Access your Kubernetes

cluster with your Active
Directory credentials
15 November 2018
Out of the box, the Kubernetes (https://kubernetes.io/) authentication is not very

user-friendly for end users. In this lab, we will see how to integrate Active
Directory (https://docs.microsoft.com/en-us/windows-server/identity/ad-
ds/get-started/virtual-dc/active-directory-domain-services-overview) with
Kubernetes to give the easiest authentication experience to the end users.
For this, we will use a project called Dex (https://github.com/dexidp/dex). Dex is

an OpenID Connect (https://kubernetes.io/docs/reference/access-authn-
authz/authentication/#openid-connect-tokens) provider done by CoreOS
(https://coreos.com/). It take care of the translation between Kubernetes tokens
and Active Directory users. We will also use Heptio (https://heptio.com/)
Gangway (https://github.com/heptiolabs/gangway) to generate kubectl
configuration files for us, and Bitly (https://bitly.com/) OAuth2 Proxy
(https://github.com/bitly/oauth2_proxy) to forward the OpenID token to the
Kubernetes dashboard.
∠
1 of 85 07/08/19, 7:17 AM
Requirements
You will need an ISO of Windows Server 2016 and an IP on your network for the
Active Directory server. In my case, this IP will be 10.10.40.5/24. You will also need
a working Kubernetes cluster, and the nodes of this cluster should be able to
communicate with the Active Directory IP.
As we will use the awesome Let's Encrypt (https://letsencrypt.org/) service to sign

the certificates for the different components of our authentication mechanism,
you will also need a way to NAT external traffic to the Kubernetes cluster. I will use
OPNSense (https://opnsense.org/) for this and I will also use OPNSense as a local
DNS server. My OPNSense machine has the IP 10.10.40.1/24.
You will also need a domain name that supports wildcard DNS entry. I will use the
wildcard DNS "*.k8s.inkubate.io" to route external traffic to my Kubernetes cluster.
If your Kubernetes cluster is on-prem, like mine, you will need a load balancer to
route the external traffic to your Kubernetes services. I suggest that you install
MetalLB (https://metallb.universe.tf/) on your cluster for this. You can refer to the
Install and configure MetalLB as a load balancer for Kubernetes
(https://blog.inkubate.io/install-and-configure-metallb-as-a-load-balancer-for-
kubernetes/) article.
∠
2 of 85 07/08/19, 7:17 AM
Your Kubernetes cluster should have a working certificate manager
(https://github.com/jetstack/cert-manager) to automatically sign SSL certificates
via Let's Encrypt. If you don't have one yet, you can refer to the Automatically
generate signed SSL certificates for your Kubernetes web applications
(https://blog.inkubate.io/generate-automatically-ssl-certificates-for-your-
kubernetes-services/) article.
Install an Active Directory

server
Create a Windows Server 2016 machine
1- Create a new virtual machine.
∠
3 of 85 07/08/19, 7:17 AM
2- Choose a name for your virtual machine.
3- Select the location of your virtual machine.
∠
4 of 85 07/08/19, 7:17 AM
4- Select the compatibility of your virtual machine.
∠
5 of 85 07/08/19, 7:17 AM
5- Select the type of the guest OS.
6- Attach the Windows Server 2016 ISO to the virtual machine.
∠
6 of 85 07/08/19, 7:17 AM
∠
7 of 85 07/08/19, 7:17 AM
7- Create the virtual machine.
∠
8 of 85 07/08/19, 7:17 AM
8- Power-on the virtual machine.
9- Open a remote console.
∠
9 of 85 07/08/19, 7:17 AM
10- Choose to boot normally and press a key to boot on the Windows Server 2016
ISO.
∠
10 of 85 07/08/19, 7:17 AM
11- Select your language and time zone.
12- Start the installation of Windows Server 2016.
∠
11 of 85 07/08/19, 7:17 AM
13- Choose the type of installation and accept the license terms.
∠
12 of 85 07/08/19, 7:17 AM
14- Choose to do a custom installation.
15- Select the disk on which to install Windows Server 2016.
∠
13 of 85 07/08/19, 7:17 AM
16- Choose a password for the Administrator user.
17- Login to your new Windows Server 2016.
∠
14 of 85 07/08/19, 7:17 AM
18- Right-click on the network card and "open the network and sharing center".
19- Click on the "Ethernet0" network card.
∠
15 of 85 07/08/19, 7:17 AM
20- Open the properties of the network card.
21- Edit the IPV4 properties.
∠
16 of 85 07/08/19, 7:17 AM
22- Open the "Server Manager"
∠
17 of 85 07/08/19, 7:17 AM
23- Enable the remote desktop connection for the local server.
∠
18 of 85 07/08/19, 7:17 AM
24- You should now be able to access your Windows Server 2016 with a remote
desktop connection.
∠
19 of 85 07/08/19, 7:17 AM
25- Go back to the VMware vSphere client and install the VMware tools.
26- Go back to your remote desktop connection and launch the VMware tools
installer.
∠
20 of 85 07/08/19, 7:17 AM
27- Install the VMware tools.
∠
21 of 85 07/08/19, 7:17 AM
∠
22 of 85 07/08/19, 7:17 AM
∠
23 of 85 07/08/19, 7:17 AM
∠
24 of 85 07/08/19, 7:17 AM
28- Reboot the machine.
∠
25 of 85 07/08/19, 7:17 AM
29- When the machine is up, add your Windows Server 2016 license.
∠
26 of 85 07/08/19, 7:17 AM
∠
27 of 85 07/08/19, 7:17 AM
∠
28 of 85 07/08/19, 7:17 AM
∠
29 of 85 07/08/19, 7:17 AM
∠
30 of 85 07/08/19, 7:17 AM
Add the Active Directory role to the Windows Server

2016
1- In the "Server Manager", select "Add roles and features"
∠
31 of 85 07/08/19, 7:17 AM
∠
32 of 85 07/08/19, 7:17 AM
2- Select the installation type.
∠
33 of 85 07/08/19, 7:17 AM
3- Select your server.
∠
34 of 85 07/08/19, 7:17 AM
4- Add the role "Active Directory Domain Services".
∠
35 of 85 07/08/19, 7:17 AM
∠
36 of 85 07/08/19, 7:17 AM
∠
37 of 85 07/08/19, 7:17 AM
∠
38 of 85 07/08/19, 7:17 AM
∠
39 of 85 07/08/19, 7:17 AM
∠
40 of 85 07/08/19, 7:17 AM
5- Promote your Windows Server 2016 to domain controller.
∠
41 of 85 07/08/19, 7:17 AM
6- Choose your root domain name.
∠
42 of 85 07/08/19, 7:17 AM
7- Enter a password for the restore mode.
∠
43 of 85 07/08/19, 7:17 AM
8- Don't create a DNS delegation.
∠
44 of 85 07/08/19, 7:17 AM
9- Choose the NetBIOS domain name.
∠
45 of 85 07/08/19, 7:17 AM
10- Leave the default path.
∠
46 of 85 07/08/19, 7:17 AM
∠
47 of 85 07/08/19, 7:17 AM
11- Start the installation.
∠
48 of 85 07/08/19, 7:17 AM
12- Reboot the server.
∠
49 of 85 07/08/19, 7:17 AM
Create an Active Directory

user
1- Launch the Active Directory Administrative Center.
∠
50 of 85 07/08/19, 7:17 AM
2- Select your domain.
∠
51 of 85 07/08/19, 7:17 AM
3- Right-click on Users and select New User.
∠
52 of 85 07/08/19, 7:17 AM
4- Fill the user information, select the password policy and click on OK.
∠
53 of 85 07/08/19, 7:17 AM
Create a role binding for your

user
We are going to create a Kubernetes role binding for your Active Directory user.
This will give permissions to your user on the Kubernetes cluster. In this example,
the user will be administrator of the default namespace.
1- Create the role binding.
$ kubectl create rolebinding sguyennet-default-admin --clusterrole=admin --us
Deploy Dex
Dex is an OpenID Connect provider that will be in charge of our authentication.
∠
54 of 85 07/08/19, 7:17 AM
We will use Active Directory as a backend for Dex, but there are many other
backend solutions to choose from.
1- Create a dex-namespace.yaml file.
$ vim dex-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: auth-system
2- Create the namespace for Dex.
$ kubectl apply -f dex-namespace.yaml
3- Create a dex-rbac.yaml file.
∠
55 of 85 07/08/19, 7:17 AM
$ vim dex-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dex
namespace: auth-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: dex
rules:
- apiGroups: ["dex.coreos.com"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dex
subjects:
- kind: ServiceAccount
name: dex
4- Create the permissions for Dex.
$ kubectl apply -f dex-rbac.yaml
5- Create a dex-configmap.yaml file. Modify the issuer URL, the redirect URIs, the
client secret and the Active Directory configuration accordingly.
∠
56 of 85 07/08/19, 7:17 AM
$ vim dex-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: dex
data:
config.yaml: |
issuer: https://auth.k8s.inkubate.io/
web:
http: 0.0.0.0:5556
frontend:
theme: custom
telemetry:
http: 0.0.0.0:5558
staticClients:
- id: oidc-auth-client
redirectURIs:
- 'https://kubectl.k8s.inkubate.io/callback'
- 'http://dashboard.k8s.inkubate.io/oauth2/callback'
name: 'oidc-auth-client'
secret: ***********
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: ad.inkubate.io:389
insecureNoSSL: true
insecureSkipVerify: true
bindDN: cn=Administrator,cn=Users,dc=inkubate,dc=io
bindPW: '***********'
userSearch:
baseDN: cn=Users,dc=inkubate,dc=io
filter: "(objectClass=user)"
username: sAMAccountName
idAttr: sAMAccountName
emailAttr: sAMAccountName
nameAttr: displayName
oauth2:
skipApprovalScreen: true
storage:
type: kubernetes
config:
∠
57 of 85 07/08/19, 7:17 AM
inCluster: true
6- Configure Dex.
$ kubectl apply -f dex-configmap.yaml
7- Create the dex-deployment.yaml file.
∠
58 of 85 07/08/19, 7:17 AM
$ vim dex-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: dex
name: dex
spec:
replicas: 1
selector:
matchLabels:
app: dex
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app: dex
revision: "1"
spec:
initContainers:
- name: dl-theme
image: alpine/git
command:
- git
- clone
- "https://github.com/sguyennet/dex-inkubate-branding.git"
- /theme
volumeMounts:
- name: theme
mountPath: /theme/
containers:
- command:
- /usr/local/bin/dex
- serve
- /etc/dex/cfg/config.yaml
image: quay.io/dexidp/dex:v2.17.0
imagePullPolicy: IfNotPresent
name: dex
ports:
∠
59 of 85 07/08/19, 7:17 AM
- containerPort: 5556
name: http
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/dex/cfg
name: config
- mountPath: /web/themes/custom/
name: theme
dnsPolicy: ClusterFirst
serviceAccountName: dex
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- configMap:
defaultMode: 420
items:
- key: config.yaml
path: config.yaml
name: dex
name: config
- name: theme
emptyDir: {}
8- Deploy Dex.
$ kubectl apply -f dex-deployment.yaml
9- Create a dex-service.yaml file.
∠
60 of 85 07/08/19, 7:17 AM
$ vim dex-service.yaml
apiVersion: v1
kind: Service
metadata:
name: dex
spec:
selector:
app: dex
ports:
- name: dex
port: 5556
protocol: TCP
targetPort: 5556
10- Create a service for the Dex deployment.
$ kubectl apply -f dex-service.yaml
11- Create a dex-ingress.yaml file. Change the host parameters and your certificate
issuer name accordingly.
∠
61 of 85 07/08/19, 7:17 AM
$ vim dex-ingress.yaml
kind: Ingress
metadata:
name: dex
annotations:
kubernetes.io/tls-acme: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-production"
ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- secretName: dex
hosts:
- auth.k8s.inkubate.io
rules:
- host: auth.k8s.inkubate.io
http:
paths:
- backend:
serviceName: dex
servicePort: 5556
12- Create the ingress for the Dex service.
$ kubectl apply -f dex-ingress.yaml
13- Wait a couple of minutes until the cert manager generates a certificate for Dex
and check that Dex is deployed properly by browsing to
https://auth.k8s.inkubate.io/.well-known/openid-configuration
(https://auth.k8s.inkubate.io/.well-known/openid-configuration).
Configure the Kubernetes

API to access Dex as OpenID
connect provider
∠
62 of 85 07/08/19, 7:17 AM
These steps have to be done on each of your Kubernetes master nodes.
1- SSH to your node.
$ ssh sguyennet@10.10.40.30
2- Edit the Kubernetes API configuration. Add the OIDC parameters and modify
the issuer URL accordingly.
$ sudo vim /etc/kubernetes/manifests/kube-apiserver.yaml

...
command:
- /hyperkube
- apiserver
- --advertise-address=10.10.40.30
...
- --oidc-issuer-url=https://auth.k8s.inkubate.io/
- --oidc-client-id=oidc-auth-client
- --oidc-username-claim=email
- --oidc-groups-claim=groups
...
3- The Kubernetes API will restart by itself.
Deploy Gangway
Gangway is a web interface made by Heptio. It will allow us to configure kubectl
with our user settings.
1- Generate a secret key for Gangway.
$ kubectl -n auth-system create secret generic gangway-key \

--from-literal=sesssionkey=$(openssl rand -base64 32)
2- Create a gangway-configmap.yaml file. Modify the cluster name, the URLs, and
the client secret accordingly. For the client secret, use the same secret that you
specified in the Dex configmap during the previous step.
∠
63 of 85 07/08/19, 7:17 AM
$ vim gangway-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: gangway
data:
gangway.yaml: |
clusterName: "Inkubate"
apiServerURL: "https://10.10.40.33:6443"
authorizeURL: "https://auth.k8s.inkubate.io/auth"
tokenURL: "https://auth.k8s.inkubate.io/token"
clientID: "oidc-auth-client"
clientSecret: "***********"
redirectURL: "https://kubectl.k8s.inkubate.io/callback"
scopes: ["openid", "profile", "email", "offline_access"]
usernameClaim: "email"
emailClaim: "email"
3- Configure Gangway.
$ kubectl apply -f gangway-configmap.yaml
4- Create a gangway-deployment.yaml file.
∠
64 of 85 07/08/19, 7:17 AM
$ vim gangway-deployment.yaml
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: gangway
labels:
app: gangway
spec:
replicas: 1
selector:
matchLabels:
app: gangway
strategy:
template:
metadata:
labels:
app: gangway
revision: "1"
spec:
containers:
- name: gangway
image: gcr.io/heptio-images/gangway:v2.0.0
imagePullPolicy: Always
command: ["gangway", "-config", "/gangway/gangway.yaml"]
env:
- name: GANGWAY_SESSION_SECURITY_KEY
valueFrom:
secretKeyRef:
name: gangway-key
key: sesssionkey
ports:
- name: http
containerPort: 8080
protocol: TCP
resources:
requests:
cpu: "100m"
memory: "100Mi"
limits:
cpu: "100m"
memory: "100Mi"
volumeMounts:
- name: gangway
∠
65 of 85 07/08/19, 7:17 AM
mountPath: /gangway/
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 20
timeoutSeconds: 1
periodSeconds: 60
failureThreshold: 3
readinessProbe:
httpGet:
path: /
port: 8080
timeoutSeconds: 1
periodSeconds: 10
failureThreshold: 3
volumes:
- name: gangway
configMap:
name: gangway
5- Create the Gangway deployment.
$ kubectl apply -f gangway-deployment.yaml
6- Create a gangway-service.yaml file.
∠
66 of 85 07/08/19, 7:17 AM
$ vim gangway-service.yaml
kind: Service
apiVersion: v1
metadata:
name: gangway-svc
labels:
app: gangway
spec:
type: ClusterIP
ports:
- name: "http"
protocol: TCP
port: 80
targetPort: "http"
selector:
app: gangway
7- Create the service for the Gangway deployment.
$ kubectl apply -f gangway-service.yaml
8- Create a gangway-ingress.yaml file. Modify the host parameter and the

certificate manager issuer accordingly.
∠
67 of 85 07/08/19, 7:17 AM
$ vim gangway-ingress.yaml
kind: Ingress
metadata:
name: gangway
annotations:
spec:
tls:
- secretName: gangway
hosts:
- kubectl.k8s.inkubate.io
rules:
- host: kubectl.k8s.inkubate.io
http:
paths:
- backend:
serviceName: gangway-svc
servicePort: http
9- Create the ingress for the Gangway service.
$ kubectl apply -f gangway-ingress.yaml
10- Wait a couple of minutes while the certificate manager generates a SSL
certificate for Gangway and browse to https://kubectl.k8s.inkubate.io
(https://kubectl.k8s.inkubate.io)
11- Click on "Sign In".
∠
68 of 85 07/08/19, 7:17 AM
12- Login with your Active Directory user.
∠
69 of 85 07/08/19, 7:17 AM
13- Copy your cluster administrator configuration.
$ cd ~/.kube
$ cp config admin-config
14- Follow the steps to generate your kubectl configuration file.
15- You should now be logged in with your Active Directory user and you should be
able to list the pods in the default namespace, but not in the kube-system
namespace.
$ kubectl get pods
$ kubectl get pods -n kube-system

Error from server (Forbidden): pods is forbidden: User "sguyennet" cannot
list pods in the namespace "kube-system"
16- Log back with your cluster administrator user.

∠
70 of 85 07/08/19, 7:17 AM
$ export KUBECONFIG=~/.kube/admin-config
$ kubectl get pods -n kube-system
Deploy the Kubernetes

dashboard
1- Create the Kubernetes dashboard manifest.
∠
71 of 85 07/08/19, 7:17 AM
$ vim kubernetes-dashboard.yaml
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Configuration to deploy release version of the Dashboard UI compat

# Kubernetes 1.8.
#
# Example usage: kubectl create -f
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
# ------------------- Dashboard Service Account -------------------
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
name: kubernetes-dashboard
∠
72 of 85 07/08/19, 7:17 AM
---
# ------------------- Dashboard Role & Role Binding ----------------
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secr
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive se
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-das
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"
∠
73 of 85 07/08/19, 7:17 AM
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
subjects:
- kind: ServiceAccount
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1beta2
metadata:
labels:
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
template:
metadata:
labels:
spec:
∠
74 of 85 07/08/19, 7:17 AM
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
ports:
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kuberne
# If not specified, Dashboard will attempt to auto discove
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be d
tolerations:
- key: node-role.kubernetes.io/master
∠
75 of 85 07/08/19, 7:17 AM
effect: NoSchedule
---
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
spec:
ports:
- port: 443
targetPort: 8443
selector:
2- Deploy the dashboard.
$ kubectl create -f kubernetes-dashboard.yaml
Deploy the Oauth2 proxy

We are going to use a modified version of the Bitly Oauth2 proxy to pass the
authentication token to the Kubernetes dashboard. Thanks to Joel Speed for the
modification. You can find the source code on his GitHub (https://github.com
/JoelSpeed/oauth2_proxy/tree/authorization-headers).
1- Generate a secret for the Oauth2 proxy.
python -c 'import os,base64; print base64.urlsafe_b64encode(os.urandom(16))'
2- Copy the generated secret and use it for the

OAUTH2_PROXY_COOKIE_SECRET value in the next step.
∠
76 of 85 07/08/19, 7:17 AM
3- Create an oauth2-proxy-deployment.yaml file. Modify the OIDC client secret,
the OIDC issuer URL, and the Oauth2 proxy cookie secret accordingly.
$ vim oauth2-proxy-deployment.yaml
kind: Deployment
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
spec:
replicas: 1
selector:
matchLabels:
template:
metadata:
labels:
spec:
containers:
- args:
- --cookie-secure=false
- --provider=oidc
- --client-id=oidc-auth-client
- --client-secret=***********
- --oidc-issuer-url=https://auth.k8s.inkubate.io/
- --http-address=0.0.0.0:8080
- --upstream=file:///dev/null
- --email-domain=*
- --set-authorization-header=true
env:
# docker run -ti --rm python:3-alpine python -c 'import secrets,base6
- name: OAUTH2_PROXY_COOKIE_SECRET
value: ***********
image: sguyennet/oauth2-proxy:header-2.2
imagePullPolicy: Always
name: oauth2-proxy
ports:
protocol: TCP
∠
77 of 85 07/08/19, 7:17 AM
4- Deploy the Oauth2 proxy.
$ kubectl apply -f oauth2-proxy-deployment.yaml
5- Create an oauth2-proxy-service.yaml file.
$ vim oauth2-proxy-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
name: oauth2-proxy
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
6- Create a service for the Oauth2 proxy deployment.
$ kubectl apply -f oauth2-proxy-service.yaml
7- Create a dashboard-ingress.yaml file. Modify the dashboard URLs and the host
parameter accordingly.
∠
78 of 85 07/08/19, 7:17 AM
$ vim dashboard-ingress.yaml
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://dashboard.k8s.inkuba
nginx.ingress.kubernetes.io/auth-signin: "https://dashboard.k8s.ink
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $token $upstream_http_authorization;
proxy_set_header Authorization $token;
spec:
rules:
- host: dashboard.k8s.inkubate.io
http:
paths:
- backend:
serviceName: kubernetes-dashboard
servicePort: 443
path: /
8- Create the ingress for the dashboard service.
$ kubectl apply -f dashboard-ingress.yaml
9- Create an oauth2-proxy-ingress.yaml file. Modify the certificate manager issuer

and the host parameters accordingly.
∠
79 of 85 07/08/19, 7:17 AM
$ vim oauth2-proxy-ingress.yaml
kind: Ingress
metadata:
annotations:
name: oauth-proxy
spec:
rules:
- host: dashboard.k8s.inkubate.io
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 8080
path: /oauth2
tls:
- hosts:
- dashboard.k8s.inkubate.io
secretName: kubernetes-dashboard-external-tls
10- Create the ingress for the Oauth2 proxy service.
$ kubectl apply -f oauth2-proxy-ingress.yaml
11- Wait a couple of minutes and browse to https://dashboard.k8s.inkubate.io

(https://dashboard.k8s.inkubate.io).
12- Login with your Active Directory user.
∠
80 of 85 07/08/19, 7:17 AM
13- You should be able to see and modify the default namespace, but not the other
ones.
∠
81 of 85 07/08/19, 7:17 AM
Conclusion
Success! You are now able to access your Kubernetes cluster, in a user-friendly
fashion, both with the kubectl command line and with the dashboard.
Tags: Cloud (/tag/cloud/), Kubernetes (/tag/kubernetes/), Container (/tag/container/), Active Directory

(/tag/active-directory/), Authentication (/tag/authentication/)
Share this post:
$ (https://twitter.com
/share?text=Access%20your%20Kubernetes%20cluster%
url=https://blog.inkubate.io/access-your-
kubernetes-cluster-with-your-active-directory-
credentials/) % (https://www.facebook.com/sharer
/sharer.php?u=https://blog.inkubate.io/access-
your-kubernetes-cluster-with-your-active-
directory-credentials/) + (https://plus.google.com
/share?url=https://blog.inkubate.io/access-your-
kubernetes-cluster-with-your-active-directory-
credentials/)
∠ PREVIOUS (/GENERATE-AUTOMATICALLY-SSL-CERTIFICATES-FOR-YOUR-
KUBERNETES-SERVICES/)
Automatically generate signed SSL certificates for your Kubernetes web applications
(/generate-automatically-ssl-certificates-for-your-kubernetes-services/)
NEXT ∠ (/INSTALL-AND-CONFIGURE-CHEF-ON-UBUNTU-16-04/)
Install and configure Chef server 12 on Ubuntu 16.04 (/install-and-configure-chef-on-
ubuntu-16-04/)
∠
82 of 85 07/08/19, 7:17 AM
Author
SIMON GUYENNET (/AUTHOR/SIMON/)
Comments
∠
83 of 85 07/08/19, 7:17 AM
What do you think?
6 Responses
Upvote Funny Love Surprised Angry Sad
28 Comments blog.inkubate.io !
1 Login
' Recommend t Tweet f Share Sort by Best
Join the discussion…
LOG IN WITH OR SIGN UP WITH DISQUS ?
Name
Greg Waines • a month ago

Hey ... great article on “Access your Kubernetes cluster with your Active Directory credentials” (
https://blog.inkubate.io/ac... ) ... has helped me a lot with investigating this.
I do have a question though.
What I have got so far:
• I have a Windows Server 2012 installed

o With Active Directory configured
With domain = wad.cumulus.wrs.com
I own cumulus.wrs.com domain
• And have delegated *.wad.cumuls.wrs.com to the Windows Server 2012 installation with
Active Directory
• And have also set ad.cumulus.wrs.com == IP of Windows Server 2012 installation with Active
Directory
o And installed one user here
• I have a kubernetes cluster

o With certmanager installed, and
see more
△ ▽ • Reply • Share ›
Simon Guyennet Mod > Greg Waines • a month ago

Hi,
The "secret" parameter for the "oidc-auth-client" will be used later by other components
(Oauth proxy and Gangway) to talk to Dex. Choose whatever you want for now but
remember the secret for the configuration of the Oauth proxy and of Gangway.
The "bindPW" is the password of the "bindDN" which in our case is the Administrator
user of the Windows server.
Regards,
∠
84 of 85 Simon. 07/08/19, 7:17 AM
) Creative Commons
∠
85 of 85 07/08/19, 7:17 AM

Access Your Kubernetes Cluster With Your Active Directory Credentials PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Access Your Kubernetes Cluster With Your Active Directory Credentials PDF

Uploaded by

Copyright:

Available Formats

Access your Kubernetes cluster with your Active Directory crede... https://blog.inkubate.io/access-your-kubernetes-cluster-with-you...

Access your Kubernetes

Out of the box, the Kubernetes (https://kubernetes.io/) authentication is not very

For this, we will use a project called Dex (https://github.com/dexidp/dex). Dex is

As we will use the awesome Let's Encrypt (https://letsencrypt.org/) service to sign

Install an Active Directory

2- Choose a name for your virtual machine.

3- Select the location of your virtual machine.

4- Select the compatibility of your virtual machine.

5- Select the type of the guest OS.

6- Attach the Windows Server 2016 ISO to the virtual machine.

7- Create the virtual machine.

8- Power-on the virtual machine.

9- Open a remote console.

11- Select your language and time zone.

12- Start the installation of Windows Server 2016.

14- Choose to do a custom installation.

15- Select the disk on which to install Windows Server 2016.

16- Choose a password for the Administrator user.

17- Login to your new Windows Server 2016.

19- Click on the "Ethernet0" network card.

20- Open the properties of the network card.

21- Edit the IPV4 properties.

22- Open the "Server Manager"

27- Install the VMware tools.

28- Reboot the machine.

Add the Active Directory role to the Windows Server

2- Select the installation type.

3- Select your server.

4- Add the role "Active Directory Domain Services".

5- Promote your Windows Server 2016 to domain controller.

6- Choose your root domain name.

7- Enter a password for the restore mode.

8- Don't create a DNS delegation.

9- Choose the NetBIOS domain name.

10- Leave the default path.

11- Start the installation.

12- Reboot the server.

Create an Active Directory

2- Select your domain.

3- Right-click on Users and select New User.

Create a role binding for your

1- Create the role binding.

$ kubectl create rolebinding sguyennet-default-admin --clusterrole=admin --us

1- Create a dex-namespace.yaml file.

2- Create the namespace for Dex.

$ kubectl apply -f dex-namespace.yaml

3- Create a dex-rbac.yaml file.

4- Create the permissions for Dex.

$ kubectl apply -f dex-rbac.yaml

$ kubectl apply -f dex-configmap.yaml

7- Create the dex-deployment.yaml file.

$ kubectl apply -f dex-deployment.yaml

9- Create a dex-service.yaml file.

10- Create a service for the Dex deployment.

$ kubectl apply -f dex-service.yaml

12- Create the ingress for the Dex service.

$ kubectl apply -f dex-ingress.yaml

Configure the Kubernetes

1- SSH to your node.

$ sudo vim /etc/kubernetes/manifests/kube-apiserver.yaml

3- The Kubernetes API will restart by itself.

1- Generate a secret key for Gangway.