TL;DR

Kubernetes Dashboard is a cool web UI for Kubernetes clusters. You can protect your Kubernetes Dashboard with an OpenID Connect reverse proxy such as keycloak-proxy.

Kubernetes Dashboard

In this article, we configure the following stack:

Keycloak / Google Account (OpenID Connect identity provider)

keycloak-proxy (OpenID Connect reverse proxy)

kube-apiserver (Kubernetes API server)

Kubernetes Dashboard

Getting Started

1(a). Set up the Keycloak

You can deploy a Keycloak server from the Helm chart.

Configure the Keycloak to be an OpenID Connect identity provider.

In this article, it assumes the followings:

You are in the realm hello

You have the user foo

You belong to the group admin

Add a client with the following properties:

Client ID: kubernetes

Client Protocol: openid-connect

Access Type: confidential

Valid Redirect URIs: https://kubernetes-dashboard.example.com/oauth/callback

Then create a mapper. It allows group based access control.

Name: groups

Mapper Type: Group Membership

Token Claim Name: groups

Now the Keycloak becomes an identity provider.

1(b). Set up the Google Identity Platfrom

As well as you can use your Google account. This is easier.

Open Google APIs Console and create an OAuth client as follows:

Application Type: Web application

Redirect URL: https://kubernetes-dashboard.example.com/oauth/callback

Please replace the issuer URL with https://accounts.google.com in the later sections.

2. Set up the Kubernetes API

Configure the kube-apiserver accepts an ID token of OpenID Connect.

If you are using kops, add the following by kops edit cluster :

spec:

kubeAPIServer:

oidcClientID: kubernetes

oidcGroupsClaim: groups

oidcIssuerURL: https://keycloak.example.com/auth/realms/hello

If you are using kube-aws, add the following to cluster.yaml :

oidc:

enabled: true

issuerUrl: https://keycloak.example.com/auth/realms/hello

clientId: kubernetes

groupsClaim: groups

Now the kube-apiserver can authenticate by an ID token.

3. Set up the keycloak-proxy

Run an OpenID Connect proxy server. keycloak-proxy is a lightweight proxy server written in Go.

You can deploy a keycloak-proxy from the Helm chart as follows:



helm repo update

helm install int128.github.io/kubernetes-dashboard-proxy helm repo add int128.github.io https://int128.github.io/helm-charts helm repo updatehelm install int128.github.io/kubernetes-dashboard-proxy

or you can kubectl apply the following manifests:

Above example uses an ingress to publish the proxy port but you can use a NodePort or LoadBalancer as well.

If you are using nginx-ingress, make sure proxy_buffer_size option is larger than 4kB. You can configure that by the ConfigMap.

proxy-buffer-size: "64k"

4. Set up the Kubernetes Dashboard

You can install a Kubernetes Dashboard from the Helm chart.

helm install stable/kubernetes-dashboard --namespace kube-system --name kubernetes-dashboard

Open https://kubernetes-dashboard.example.com .

Since no role is given to the current user or group, an Unauthorized warning will be shown on the dashboard.

Assign the cluster-admin role to the current group.

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1

metadata:

name: keycloak-admin-group

roleRef:

apiGroup: rbac.authorization.k8s.io

kind: ClusterRole

name: cluster-admin

subjects:

- kind: Group

name: /admin

Now all objects are shown in the dashboard.

Note that the cluster-admin role is a super administrator and can do everything. Consider a dedicated role in your actual operation.

Deep dive

In this article, we build the following stack:

At first the proxy sends a redirect to the Keycloak. If the authentication is successfully done, the proxy receives the ID token and stores it into the browser Cookie.

Once authenticated, the proxy forwards a request with an Authorization header to the dashboard. Then the dashboard accesses to the kube-apiserver by using the ID token.

In this way the dashboard delegates the authentication to the kube-apiserver. This is why you have to configure the kube-apiserver.

Wrap up

In this article, I introduced how we can protect a Kubernetes Dashboard with an OpenID Connect proxy server.

See Also