docs/doc/source/security/kubernetes/configure-kubernetes-client-access.rst
Suzana Fernandes b8bd7ed49d DOC: add cacert option for oidc-auth command
closes-bug: 2089258

Change-Id: I4283d7a63c4dcd30463e6b56e6430722fa51ce32
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
2024-11-22 20:00:51 +00:00

9.3 KiB

Configure Kubernetes Client Access

You can configure Kubernetes access for local and remote clients to authenticate through Windows Active Directory or server using oidc-auth-apps Identity Provider (dex).

Configure Kubernetes Local Client Access

Use the procedure below to configure Kubernetes access for a user logged in to the active controller either through SSH or by using the system console.

  1. Execute the commands below to create the Kubernetes configuration file for the logged in user. These commands only need to be executed once. The file "~/.kube/config" will be created. The user referred in its contents is the current logged in user.

    ~$ kubeconfig-setup
    ~$ source ~/.profile
  2. Run oidc-auth script in order to authenticate and update user credentials in the Kubernetes configuration file.

    ~$ oidc-auth

    Note

    The oidc-auth script has the following optional parameters that may need to be specified:

    --cacert <path to ca cert file>: The path provides certificate that validates the server certificate specified by the -c option. By default, the command reads the value of OS_CACERT environment variable. If none is specified, the command accesses the server without verifying its certificate.

    -c <OIDC_app_IP>: This is the IP where the OIDC app is running. When not provided, it defaults to "oamcontroller", that is an alias to the controller floating IP. There are two instances where this parameter is used: for local client access inside subclouds of a centralized setup, where the oidc-auth-apps runs only on the System Controller, and for remote client access.

    -p <password>: This is the user password. If the user does not enter the password, the user is prompted to do so. This parameter is essential in non-interactive shells.

    -u <username>: This is the user to be authenticated. When not provided, it defaults to the current logged in user. Usually, this parameter is needed in remote client access scenarios, where the current logged in user is different from the user to be authenticated.

    -b <backend_ID>: This parameter is used to specify the backend used for authentication. It is only needed if there is more than one backend configured at oidc-auth-apps Identity Provider (Dex).

Configure Kubernetes Remote Client Access

The access to the Kubernetes cluster from outside the controller can be done using the remote CLI container or using the host directly. Both options are described below.

Kubernetes Remote Client Access using the Container-backed Remote CLI

The steps needed to set up the remote Kubernetes access using the container-backed remote are described in Configure Container-backed Remote CLIs and Clients <security-configure-container-backed-remote-clis-and-clients> and Use Container-backed Remote CLIs and Clients <using-container-backed-remote-clis-and-clients>.

Kubernetes Remote Client Access using the Host Directly

  1. Install the kubectl client CLI on the host. Follow the instructions on Install and Set Up kubectl on Linux. The example below can be used for Ubuntu.

    % sudo apt-get update
    % sudo apt-get install -y apt-transport-https
    % curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add
    % echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee -a /etc/apt/sources.list.d/kubernetes.list
    % sudo apt-get update
    % sudo apt-get install -y kubectl
  2. Optional: Contact your system administrator for the Kubernetes cluster's public root certificate. Copy this certificate to your system as k8s-ca.crt. This step is strongly recommended, but it still possible to connect to the Kubernetes cluster without this certificate.

  3. Create an empty Kubernetes configuration file (the default path is ~/.kube/config). Execute the commands below to update this file. Use the IP address and the Kubernetes certificate acquired in the previous step. If the IP is IPv6, use the IP enclosed in brackets (example: "[fd00::a14:803]"). In the example below, the user is "admin-user", change it to the name of user you want to authenticate.

    $ MYUSER="admin-user"
    $ kubectl config set-cluster wrcpcluster --server=https://<OAM_IP>:6443
    $ kubectl config set clusters.wrcpcluster.certificate-authority-data $(base64 -w0 k8s-ca.crt)
    $ kubectl config set-context ${MYUSER}@wrcpcluster --cluster=wrcpcluster --user ${MYUSER}
    $ kubectl config use-context ${MYUSER}@wrcpcluster

    If you don't have the Kubernetes certificate, execute the following commands instead.

    $ MYUSER="admin-user"
    $ kubectl config set-cluster wrcpcluster --server=https://<OAM_IP>:6443 --insecure-skip-tls-verify
    $ kubectl config set-context ${MYUSER}@wrcpcluster --cluster=wrcpcluster --user ${MYUSER}
    $ kubectl config use-context ${MYUSER}@wrcpcluster
  4. Get a Kubernetes authentication token. There are two options, the first is through oidc-auth script and the second is through the browser. Both options are described below.

    To get the token through oidc-auth script, execute the steps below.

    1. Install "Python Mechanize" module using the following command:

      $ sudo pip install mechanize
    2. Install the oidc-auth from .

    3. Execute the command below to get the token and update it in the Kubernetes configuration file. If the target environment has multiple backends configured, you will need to use the parameter -b <backend_ID>. If the target environment is a system with a centralized setup, you should use the IP of the System Controller.

      $ oidc-auth -u ${MYUSER} -c <OAM_IP>

    To get the token through a browser, execute the steps below.

    1. Use the following URL to login into oidc-auth-apps client: https://<oam-floating-ip-address>:30555. If the target environment is a system with a centralized setup, you should use the IP of the System Controller.

    2. If the oidc-auth-apps has been configured for multiple 'ldap' connectors, select the Windows Active Directory or the server for authentication.

    3. Enter your Username and Password.

    4. Click Login. The ID token and Refresh token are displayed as follows:

      ID Token:
      
      eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ4ZjZkYjcxNGI4ODQ5ZjZlNmExM2Y2ZTQzODVhMWE1MjM0YzE1NTQifQ.eyJpc3MiOiJodHRwczovLzEyOC4yMjQuMTUxLjE3MDozMDU1Ni9kZXgiLCJzdWIiOiJDZ2R3ZG5SbGMzUXhFZ1JzWkdGdyIsImF1ZCI6InN0eC1vaWRjLWNsaWVudC1hcHAiLCJleHAiOjE1ODI1NzczMTksImlhdCI6MTU4MjU3NzMwOSwiYXRfaGFzaCI6ImhzRG1kdTFIWGFCcXFNLXBpYWoyaXciLCJlbWFpbCI6InB2dGVzdDEiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InB2dGVzdDEifQ.TEZ-YMd8kavTGCw_FUR4iGQWf16DWsmqxW89ZlKHxaqPzAJUjGnW5NRdRytiDtf1d9iNIxOT6cGSOJI694qiMVcb-nD856OgCvU58o-e3ZkLaLGDbTP2mmoaqqBYW2FDIJNcV0jt-yq5rc9cNQopGtFXbGr6ZV2idysHooa7rA1543EUpg2FNE4qZ297_WXU7x0Qk2yDNRq-ngNQRWkwsERM3INBktwQpRUg2na3eK_jHpC6AMiUxyyMu3o3FurTfvOp3F0eyjSVgLqhC2Rh4xMbK4LgbBTN35pvnMRwOpL7gJPgaZDd0ttC9L5dBnRs9uT-s2g4j2hjV9rh3KciHQ
      
      Access Token:
      
      wcgw4mhddrk7jd24whofclgmj
      
      Claims:
      
      {
      "iss": "https://128.224.151.170:30556/dex",
      "sub": "CgdwdnRlc3QxEgRsZGFw",
      "aud": "stx-oidc-client-app",
      "exp": 1582577319,
      "iat": 1582577319,
      "at_hash": "hsDmdu1HXaBqqM-piaj2iw",
      "email": "testuser",
      "email_verified": true,
      "groups": [
          "billingDeptGroup",
          "managerGroup"
      ],
      "name": "testuser"
      }
      
      Refresh Token:
      
      ChljdmoybDZ0Y3BiYnR0cmp6N2xlejNmd3F5Ehlid290enR5enR1NWw1dWM2Y2V4dnVlcHli
    5. Use the token ID to set the Kubernetes credentials in kubectl configs:

      $ TOKEN=<ID_token_string>
      $ kubectl config set-credentials ${MYUSER} --token ${TOKEN}