• Backups
• Cox home network facts
• Dotfiles
  • Neovim's Lazy.vim
  • Zsh
    • OS Detection
    • Parsing options
    • Startup performance
• Email
  • Running sieve locally
  • Sieve
• Fun Holidays
• Gaming
  • Mobile Games
• Gaming PC Hardware
• Gitlab
  • Automatically adding UptimeRobot to Gitlab's monitoring whitelist with ansible
  • Caching CI stuff with Minio
  • Fixing SAML association for a Gitlab user
  • Having a little fun with Gitlab's join date
• Good RFC
• Homelab
  • AUR Repo
  • Bootstrap
    • (NAS) Garage S3
    • Dedicated Server
    • IOFlood (Netherite)
    • Soft Serve
    • Synology NAS
    • ntfy.sh
  • Step-CA
  • Tech Stack
  • VLANs
• IPv6
• Kubernetes
  • Get Root CA
  • New SSH Fingerprints to Flux
  • Talos OIDC setup
• Linux
  • Backups
  • Desktop Customization
  • Disabling WiFi
  • Getting disk serial number
  • Monitoring
  • Non-root users can ping
  • Pacman hooks
  • PowerDNS administration
  • Reboot Criteria
  • Systemd version via DBus
  • Text-to-speech locally
• MacOS
  • Local backups
• Meta - Digital Garden
• Meta - Test Page
• OpenID Connect
• Packing List
• Ruby
  • Fixing Fakeweb & Coveralls conflict
  • Generating a webpage screenshot
• SQLite Booleans
• Security
  • Password reset via HMAC
• Smarthome
• Web Design
  • Icon Libraries
  • SVG Icons
  • Various Ideas

Configuring Talos-powered Kubernetes to authenticate via OIDC

Set up kube-apiserver to authenticate clients using OpenID Connect against my preferredprovider, Authentik.

1. Create an application in Authentik

Typical process of creating a provider & application through the wizard. There
are a few custom configuration options though:

• Set the client type to public
• Use ‘kubernetes’ as the client ID, rather than the randomly generated value. (This will be public knowledge)
• Add two redirect URLs for kubelogin: (NB: no trailing slash!)
  • http://localhost:8000 (primary port used by kubelogin)
  • http://localhost:18000 (fallback if port 8000 is in use)
• Under ‘Advanced protocol settings’:
  • Ensure ‘Include claims in id_token’ is checked
  • Increase the duration of access token validity, since opening a browser tab every 5 minutes is annoying.

2. Configure the Kubernetes API server

This is simply adding a few additional CLI arguments:

--oidc-client-id=kubernetes
--oidc-issuer-url="https://authentik.company/application/o/kubernetes/"
--oidc-username-claim=preferred_username
--oidc-groups-claim=groups
--oidc-username-prefix="oidc:user:"
--oidc-groups-prefix="oidc:group:"

And then deploying the updated arguments via talosctl apply.

3. Configure kubectl to use kubelogin

Add the following to your ~/.kube/config file:

users:
- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: kubectl
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://authentik.company/application/o/kubernetes/
      - --oidc-client-id=kubernetes
      - --oidc-extra-scope=groups,profile

*[OIDC]: OpenID Connect

References and useful links

• https://geek-cookbook.funkypenguin.co.nz/kubernetes/oidc-authentication/authentik/
• https://github.com/int128/kubelogin
• https://www.talkingquickly.co.uk/setting-up-oidc-login-kubernetes-kubectl-with-keycloak
• https://www.talkingquickly.co.uk/webapp-authentication-keycloak-OAuth2-proxy-nginx-ingress-kubernetes