►
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Portable, Universal Single Sign-On for Your Clusters - Miguel Martinez, Bitnami
In order to enable Single Sign-On in your cluster you need to configure the Kubernetes API server. This is an issue if you are using services where the control plane is managed for you. Some managed services like GKE support SSO out of the box, but are not configurable. Others like AKS allow you to configure it, but only with Active Directory. These options might not fit some of your requirements such as using your company’s existing Identity provider, to use other protocols such as LDAP or SAML or when applications (e.g the Kubernetes Dashboard) need access to the API server. In this session, I will present some workarounds that leverage other native AuthN/AuthZ mechanisms such as service accounts or impersonation via auth proxies. I will also demo how to use these methods to enable SSO for the Kubernetes dashboard that can be used across different managed and on-prem environments.
https://sched.co/MPdT
A
All
right
good
afternoon,
we'll
start
the
next
session
in
the
security,
identity
and
policy
tract
with
us
is
Miguel.
Martinez
Miguel
is
a
contributor
to
helm
and
monocular.
Is
that
right,
like
a
binocular
but
yeah,
but
only
one
lens?
He
also
works
on
Kubb
apps,
which
is
an
open-source
dashboard
for
kubernetes,
and
with
that
I'll
hand
it
over
to
Miguel
sorry.
B
Hello,
everyone
I'm
actually
impressed
by
how
many
people
are
interested
in
a
authentication
of
3
p.m.
it's
awesome,
so
I'm
Miguel
that
photo
actually
is
from
a
happy
day
the
day
that
I
got
my
one
wheel,
which
is
kind
of
like
that
skateboard
I,
like
it
a
lot
actually,
my
wife
is
mad
at
me
because
she
says
that
I
take
more
pictures
of
nothing
done
anything
else,
but
I
know
I.
Don't
understand.
I
actually
disagree
because
I
also
take
pictures
of
my
wife.
B
I,
don't
know
anyway,
so
I'm
sober
and
ended
up
in
Miami
I
am
mention
I'm
called
contributor
at
Q.
Bob's
application
touch
for
communities
monocular,
which
is
the
engine
behind
helm,
hub
and
human
self.
So
the
agenda
is
very
simple:
top
gender
is
very
straightforward.
It's
just
I'm
gonna
explain
the
problem
that
we
run
into
give
you
a
key
a
couple
of
takeaways
of
our
journey,
implementing
OID
C
and
all
the
challenges
that
we
run
into
I'm
very
I'm,
going
to
show
you
a
couple
of
workarounds
to
basically
bypass
those
limitations.
B
B
But
the
first
thing
the
young
user
needs
to
do
is
to
provide
their
community's
credentials
and
that
time,
the
only
way
to
do
that
was
by
providing
their
community
service
account
tokens,
and
that
means
of
somebody
needs
to
go
to
the
blaster
either
the
user
or
a
cluster
operator
find
that
talking
and
provided
not
was
an
adoption
barrier
and
because
configuring
that
talking
and
configuring
our
bug
was
actually
pretty
hard
for
the
kind
of
users
that
we're
targeting.
That
was
an
adoption
barrier
as
well
for
security
practices.
B
They
were
even
sharing
the
tokens,
so
we
asked
the
community
at
the
answer
was
place,
implement
single
thing
on
here,
so
we
quickly
realized
that
the
problem
that
we
are
running
into
we're
not
the
only
ones.
This
applies
to
every
single
application
that
wants
to
offer
authentication,
be
a
single
thing
on
and
that
applications
talks
to
the
communities
API
server
on
behalf
of
the
user
and
that's
the
case
for
cubes,
but
it's
also
the
communities
where,
and
it's
also
cube
cuttle-
that
we
use
to
control
that
we
use
every
day.
B
B
So
we
took
a
look
at
the
state
of
the
authentication
in
kubernetes
I
left
out
some
some
other
solutions,
but
we
basically
took
the
main
ones
and
created
four
categories.
The
first
one
is
how
easy
it
is
to
self-service
those
kind
of
credentials.
Can
you
do
it
by
yourself?
Do
you
need
the
intervention
of
a
cluster
operator?
Then?
What?
How
is
there?
Is
there
any
built-in
rotation
for
those
tokens
for
those
credentials
and
what
about
revoking
those
credentials?
How
is
it
and
then
they
user
experience
when
you
have
set
up
those
finishes?
B
So
the
first
one
is
our
client,
certs
and
client
search.
A
little
more
experience
require
our
authority
more
classified
operation
team
to
verify
who
I
was
graph
those
credentials
either
manually
or
an
automated
way
and
then
send
them
over
securely.
So
cell
service
was
an
option
in
our
case
rotating
and
revoking.
He
was
saying
great
either.
Actually
in
this
case,
sometimes,
if
you
want
to
revoke
a
single
certificate,
you
might
actually
end
up.
We
walk
in
the
hall,
all
the
users
that
use
the
same
certificate
authority,
for
example,
and
then
user
experience
was
fine.
B
It's
once
you
set
it
up
in
your
give.
Config
was
fine,
then
we
got
tokens
which
can
be
either
service
accounts
or
static,
static
tokens
next
to
the
API
server
and
self-serve.
It
is
the
same
issue,
but
then
rotating
rotation
mentor
vocation
actually
got
better,
because
you
can
rotate
the
thing
you
you
can
debug
and
Protel
programmatically
and
a
single
user
basic
auth
was
very
it's
very
similar
to
the
token,
and
then
we
got
single
sign-on
so
single.
Second,
once
you
set
it
up,
when
the
cluster
operator
sets
it
up,
you
got
cell
service.
B
In
most
cases,
it
has
built-in
rotation,
we
refresh
tokens
and
then
provoking
revocation
has
a
caveat
because
the
talking
might
have
a
lifespan.
So
during
that
period
they
might
be
tricky
by
user
experience.
Actually
we
put
it
in
green
just
because
it's
not
the
only
useful
for
users,
it's
good
for
you.
It's
also
for
cluster
operators,
so
su
meaning
a
little
bit
down.
Y
single
thing
you
need
is
for
user
is
done
like
a
no-brainer.
B
They
use
it
every
day
they
can
with
Facebook
github
with
all
these
providers,
and
they
don't
want
to
have
an
additional
set
of
credentials
and
they
also
like
the
instant
ratification
of
signing
up
I'm
start
using
it
right
away,
but
then
for
cluster
operators,
which
I
think
is
more
interesting.
Is
they
don't
need
to
generate
or
transfer
credentials
anymore?
They
don't
need
to
care.
Do
you
know
about
rotation
of
revoking
those
credentials
because
that
gets
delegated
to
a
third
party
identity
provider
I'm?
Some
of
those
identity
providers
in
support
advanced
features
like
groups
and
scopes.
B
So
we
started
looking
into
let's
implement
this.
It
seems
the
right
thing
and
that's
what
the
users
are
asking
for.
Reading
the
documentation
I
saw
that
communities
already
supported,
support
single
sign-on
Beebop
via
open
I,
think
on,
but
what's
the
difference
between
open
idea?
Connect
involves
I,
honestly,
didn't
know
the
difference,
so
open
idea.
Connect
is
an
identity
layer.
Thus
this
is
official
description.
It's
a
identity
layer
on
top
of
the
last
two
also
recession
protocol
and
to
understand
a
little
bit
better.
B
I
created
this
diagram
on
the
right
side,
which
is
an
over
simplified
version
of
the
flow
and
which
we
have
three
actors
actually
they're
coming
up
for
the
user
and
client
the
authentication
provider
and
the
resource
that
the
client
wants
to
access
to
the
first
step
will
be,
the
user
will
be
redirected
to
the
authentication
provider.
Saying?
Can
you
please
grant
access
to
this
client
to
this
kind
of
resources
via
the
scope
and
as
a
result,
you
will
get
an
access
token.
B
So
what's
stopping
ID
open,
ID
connected
open?
The
connecting
practice
means
that
there
is
one
more
scope
to
you
pass
and,
as
a
result,
you
get
an
ID
token
and
that
ID
token
contains
all
the
information
for
the
user
in
a
standardized
and
click
to
sign
way
and
that
format
itself.
It's
called
JSON
web
token
and
as
a
side
effect
of
having
all
the
information
already
in
there
are
you
talking,
we
don't
need,
or
whoever
is
implemented,
implementing
this
this
flow.
B
We
don't
need
to
to
have
a
new
string
for
endpoint
animal,
so
it
simplifies
things
to
understand
how
the
validation,
how
the
verification
of
this
token
works
we're
going
to
actually
think
about
a
real-world
example,
and
that
example
is
basically
me
traveling
to
the
US.
The
first
thing
I
need,
is
to
go
to
an
identity
provider
which
jung-yoon
IAM
or
staying
my
case,
and
they
will
verify
my
identity
and
they
will
grab
the
passport.
The
passport
is
that
entities
the
better
I've
entertained
to
take
with
me
at
all
times
when
I
land
to
the
US.
B
They
will
take
my
passport
and
they
will
check.
Is
it
from
a
trusted
source?
They
will
say
sure
you
know
we
we
still
accept.
Spanish
passports
hasn't
been
tampered
with.
They
will
check
that
if
it's
a
new
passport,
though
they
will
check
it,
you
know
no,
no
pages
are
being
broken
water,
it
is
not
expired,
and
the
key
takeaway
here
is
that
US
Customs
in
theory,
doesn't
contact
Spain
for
every
single
Spaniard
that
goes
to
the
border.
There
is
some
mechanism
already
in
place
to
validate
those
passports.
B
If
we
extrapolate
this
to
kubernetes
is
basically
the
same
thing.
We
got
a
set
of
identity
providers
that
can
be
either
managed
or
or
on-prem
and
I
much
like
Active
Directory
of
Google
accounts
of
self
hostility,
xop
o'clock,
and
then
there
is
not
a
passport.
What
we
have
instead
is
the
ID
token
that
I
mentioned
before,
which
is
a
JSON
web
token.
The
JSON
web
token
has
three
parts,
a
header
that
tells
you
what
kind
of
signature
has
a
payload
that
contains
who
you
are,
who
provisioned
this
token?
Who
is
we?
B
Who
is
their
audience
and
when
does
it
expire,
among
other
things,
and
all
these
informations
store
director
called
claims,
but
the
most
important
part
of
this
token
is
a
signature
which
will
be
used
on
the
relying
party
end,
which
will
be
the
Kunis
API
server
in
our
case,
to
check
if
it
has
been
tampered
with.
There
is
a
signature
plus
a
plot
at
the
public
key,
and
they
will
very
verify
that
nobody
has
changed
the
token,
but
they
will
also
check
if
it's
from
a
trusted
source
via
the
issuer
claim.
B
B
B
B
We're
going
to
do
first,
the
exercise
by
using
this
echo
server,
which
is
just
a
very
simple
web
server
that
exposes
the
headers,
are
injected.
So
we
have
the
echo
server
running
and
we're
going
to
do
next
is
to
is
to
install
the
proxy.
So
the
proxy
I'm
going
to
be
using
is
called
keep
your
gatekeeper.
You
can
use
all
two
proxy
and
there
are
others,
but
all
of
them
work
the
same
way.
B
So
if
you
try
to
access
now,
the
were
the
the
echo
the
echo
server
you
get
intercepted
by
the
by
the
proxy,
which
is
more
motor
functions,
and
now
we
see
the
echo
server,
we
way
more
information.
It
contains
information
like
who
I
am
my
email
address,
my
name
I'm
also
talking
and
what's
more
important.
It
has
an
authorization
header
that
says
it's
going
to
be
injected
in
every
request.
B
B
And
it
will
say
that
expires
in
one
hour,
so
let's
actually
try
to
to
hit
the
API
server.
With
this
token,
I'm
doing
a
call
to
the
API
server
and
it
says
for
one
this
expected
the
API
server,
though
saying
understand
this
token.
Yet
so
the
next
thing
that
we
need
to
do
the
missing
piece
here
is
configuring
the
API
server,
and
this
is
trivial.
This
is
doable
in
mini
cube
because
you
can
actually
pass
extra
conflict
class.
B
B
B
So
we
get
intercepted,
that's
good,
but
this
time
this
should
work
and,
as
we
can
see
now,
the
dashboard
says
you
know
then,
together
with
the
earth
headers,
and
this
is
because
they
also
the
work,
has
built-in
functionality
to
create
this
token.
That
has
been
injected
by
the
approximate.
So
we
went
from
experience
that
require
our
we
manually
add
your
credentials
to
basically
getting
access
automatically
to
that
with
Azure,
be
a
single
sign-on,
okay,
so
that
was
good,
but
that
birthing
work
everywhere.
B
B
So,
regarding
modifying
the
API
server,
we
look
into
different
distributions
in
some
manner
services
that
actually
can
be
tricky
in
cases
like
GK
or
yes.
This
actually
might
have
changed
already,
because
it
changes
everyday,
but
G
ke,
ke
s.
You
cannot
modify
those
flags
in
a
case
and
oke.
You
can
do
it,
but
only
selecting
their
specific
identity
providers,
so
this
is
actually
the
biggest
the
biggest
problem
that
you
might
run
into
another
interesting
interesting.
B
Another
issue
is
that
in
communities
you
can
authenticate
not
only
you
can
reference,
as
you
seen
user,
not
only
by
its
user
but
also
by
its
group,
and
the
good
news
is
that
you
can.
Actually
you
can
actually
preference
or
take
information
from
each
other
talking
a
map
it
to
internal
referencing
are
back
and
you
can
do
it
by
the
flag
type
food
under
but
Newser
that,
as
always,
these
system
work
everywhere
either.
B
B
So
we
looked
into
a
couple
of
workarounds
called
workarounds
hugs
whatever,
but
the
idea
is
that
this
was
kind
of
like
that.
The
it
was
the
one
that
made
sense
at
the
beginning,
because
the
Dutch
were
already
supports
service
account
tokens
cube,
app
sources.
Support
service
accounts
tokens
of
what,
if
we
have
some
kind
of
some
kind
of
like
system
that
will
take
the
ID
token,
we
will
do
the
verification,
require
and
extract
the
claims.
B
On
the
other
side,
you
will
get
a
service
account
or
that
was
kind
of
like
a
no-brainer,
and
to
do
that,
we
could
actually
rely
on
some
when
it
is
primitive,
like
we
had
a
controller
that
will
interface
using
an
account
CRD
and
all
that
good
stuff,
and
even
though
this
is
actually
cool.
This
is
difficult.
This
was
very
difficult,
so
we
looked
into
another
solution
which
is
community
impersonation.
B
B
The
first
one
is:
can
impersonate
a
user
impersonate,
the
full
user,
sure
and
then
kind
of
who
user
access
pots,
because
that
was
the
initial
command,
and
you
might
think
this
is
kind
of
like
impersonation
has
come
dangerous
because
you
might
actually
have
a
user
that
has
god
mode
or
sudo
you
can
limited.
You
can
actually
make
the
impersonator
only
impersonate
specific
groups.
So
in
some
ways
you
can
restrict
that
the
interesting
part
about
impersonation
is
that
actually
using
it
is
not
different.
B
If
you
just
need
to
pass
a
new
set
of
headers,
there
are
two
new
headers
impersonate
user,
which
is
required
and
impersonate
group,
which
is
optional,
and
something
something
to
note
is
that
the
authorization
rather
this
time
is
not
from
the
user.
It
is
from
the
impersonator.
So
this
is
a
difference.
B
So
by
knowing
this
we
can
just
put
up
another
proxy
I'm
gonna
have
two
proxies
that
will
take
the
ID
token
to
the
verification
and
I'm
just
on
the
other
end
inject
those
new
modified
attestation,
header
and
inject
this
to
those
two
new
headers
and
the
way
that
we
can
set
it
up
is.
We
can
put
it
between
your
app
and
the
conus
API
server,
and
if
you
see
how
the
flow
will
work
is
the
user
will
enter
in
your
application,
it
will
be
intercepted.
B
B
B
So
we're
calling
the
the
GK
API
server
here
and
we
get
401.
Okay,
so
confirm
this
doesn't
work.
So
what
we're
going
to
do
next
is
to
a
new,
a
new
proxy,
this
impersonation
proxy
and
the
good
news.
The
good
news
are
that
actually
it
already
exists.
Our
friends
from
jet
stock
have
already
built
one.
This
is
awesome
and
it
does
what
we
need.
You
configure
it
to
trust,
an
identity
provider.
They
will
take
an
ID
token.
B
So
have
it
running
and
what
we're
gonna
do
now
is:
let's
actually
call
the
API
server
with
the
same
token,
but
through
the
proxy
to
see
what
happens
so
I'm
poor
for
what,
in
the
the
port
and
the
proxy
I'm
doing
a
call
through
localhost
this
time,
remember
the
first
one
failed
and
this
one
is
going
through
the
proxy,
so
it
seems
I've
worked.
Let's
take
a
look
at
the
logs,
so
looking
at
impersonation,
proxy
and
I
know.
This
is
very,
very
bossy
because
in
debug,
but
what
we're
going
to
see
here
is.
B
We're
gonna
see
that
there
is
a
new
header
calling
personal
user
with
Miguel
admin,
my
own,
that
was
extracted
by
by
this
proxy
from
from
jet
stock.
The
other
thing
that
it
did
was
to
pass
the
authorization
header
which
we're
going
to
actually
introspect
now
to
see
what
it
has
inside.
So
we're
going
to
Jason
Webb
talk
in
the
dialogue
we
did
before
and
weird
economy.
B
So
we
can
see
here
is
that
this
token
doesn't
contain
any
information
about
me
as
a
user,
it
basically
has
been
issued
by
a
service
account
and
it's
actually
in
the
the
user
that
represents.
Is
the
service
account
default
in
the
Qi
DC
proxy.
So
this
is
the
this
is
the
impersonator
and
impersonator
has
been
configured
to
be
able
to
impersonate
my
account
okay,
so
we
have
a
proxy
that
it
seems
to
work.
So
next
we
just
need
to
take
the
Queenie
this
dashboard
and
click
it
we're
going
to
actually
make
it
think.
B
B
B
So
in
the
local
we're
gonna
see
is
that
there
is
a
call
to
API
v1
default
services,
which
is
the
best
I'm
seeing
in
the
dashboard
right
now,
and
it's
impersonating,
my
user
and
just
a
quick
note.
This
works
also
works
because
I
have
a
cluster
or
Pro
binding
for
me,
get
up
in
a
meal
to
come.
They
already
set
up
okay,
so.
B
B
If
you
want
to
learn
more,
we
wrote
in
dev
document
about
about
all
these
workarounds
that
we
did
there.
We
also,
we
also
touch
all
the
validation
part
I
actually
left
out
in
this
case,
I
also
recommend
to
take
a
look
at
the
community
stock
from
yo
composure
check
out
the
proxy
I
use
for
my
second
demo
from
jet
stocks
awesome,
and
you
can
find
the
files
the
demo
files
that
my
colleague
unknown
help
me
with.
C
D
B
So
multi-factor
off
I
believe
that
you
know
that's
one
day:
I'm
identity
provider,
side.
So
before
you
actually
get
back
to
the
final
of
callback,
that
will
you
know
basically
with
enough
it
will
not
affect
on
our
end,
so
it
shouldn't
be.
It
shouldn't
be
a
problem
regarding
the
identity
on.
So
you
are
talking
about
some
kind
of
auditing
on
the
side
who
is
impersonating?
Whom
I
mean
the
impersonator
in
this
case
is
a
single
one
right.
So
if
you
actually
go
back
to
tonight,
the
other,
the
other.
B
So
this
one,
for
example,
for
auditing,
is
actually
much
much
better,
because
you
will
have
all
those
series
that
you
will
actually
be
able
to
to
check
who
sign
up
Wayne
and
when
the
talking
about
creating
so
on
so
forth.
On
the
other
side,
you
have
that
issue
that
the
impersonator
is
a
single
one.
So
how
do
you
know
that
loads
I?
Don't
know
you
can
always
put
something
some
kind
of
like
side
car
that
will
create
some
kind
of
block
anywhere,
but
I
don't
know.
E
I
have
a
question
so
as
I
understand
as
long
as
you
are
using
web
web
browser.
So,
for
example,
your
log
in
to
web
console
it's
really
simple
and
seamless.
You
just
basically
go
to
web
to
page
and
you
get
sign-on
automatically.
But
if
you
are
going
through
command
line,
I
still
have
to
go
to
web
browser
obtain
the
token
and
then
copy
it
manually
to
the
command
line.
B
So
I've
seen
that
you
so
I
believe
that
when
you
have
a
command
line
tool,
what
will
happen
is
some
kind
of
like
local
web
server
will
appear
and
then
they
call
back
from
their
wealth
to
will
go
to
a
local
port
and
I
believe
that
you
don't
need
to
copy
the
talking.
In
that
case,
the
problem
should
be
smart
enough
to
so.