Open in app

Sign in

Write

Sign in

Step by step guide to integrate LDAP with Kubernetes

Krishna Pulluru
2 min readFeb 18, 2018

--

We’ve started using Kubernetes for a couple of months now and we are running one of the production grade clusters in our datacenter. In case if you haven’t seen my previous post on setting up k8s on bare metal, here it is.

We had to expose k8s dashboard for everyone in the company. However, this means anyone can do anything including wiping off critical components accidentally. Though we had protected the dashboard using basic auth i.e., with a username and password, this only serves as authentication and can’t scale. Since we already use LDAP for all our apps internally, we decided to make LDAP work with kubernetes. However, its not straight forward and this document provides a step by step guide to integrate the two.

Kubernetes provides several options for authentication. One of them is OpenID connect tokens. Note that OpenID connect is an extension to OAuth2 and one of the open source implementations of it is from CoreOS through a project called dex. Dex can act as portal to identity providers through connectors. And LDAP is one of the supported connectors. For detailed information on dex and other supported connectors, refer: https://github.com/coreos/dex/#connectors

Now, coming to step by step guide of the setup, please refer my GitHub link: https://github.com/krishnapmv/k8s-ldap

This is a forked project and I’ve made changes to work in our environment as we don’t use Ingress controllers and since https is supported both by the loginapp and dex app, I’ve modified it to terminate SSL inside the app.

Once you’ve both loginapp and dex up and running, you can login to the loginapp, leave the defaults as is and request token. This would redirect to dex app where you need to punch in your LDAP credentials. If you are able to authenticate successfully with LDAP, it returns .kube/config which you need to add into your configs. You can as well sign into your k8s dashboard using id_token. (TIP: If you want to decode the id_token to verify the data, use this site )

If you don’t have LDAP in your environment already but still want to let your k8s users authenticate, you can choose Github token authentication: https://github.com/oursky/kubernetes-github-authn (I’ve used this setup before setting up dex and its straightforward to setup).

UPDATE: You can use keycloak proxy instead of using loginapp but it only works with the dashboard (i.e., it won’t give you kubectl config that you can use with CLI). I’ve updated my Github repo to include deployment and service configs for keycloak proxy.

Please write to me at krishna dot pmv at gmail for any questions or if you’ve any difficulty setting up dex or integrating it with LDAP

Kubernetes
Ldap
Dex
Coreos
Authentication

--

--

Krishna Pulluru

Written by Krishna Pulluru

512 Followers

Full piece of life! I do Infrastructure and Operations Engineering for a living and occasionally share my learnings and experiences here. Opinions are my own.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams