SSO to kubernetes with mod_auth_openidc session

12/7/2019

I want to access the kubernetes dashboard and the API using an already existing openid connect session (apache reverse proxy with mod_auth_openidc + WSO2 identity server). Unfortunately, kubernetes requires an id_token as a bearer token (signed JWT), which is quite hard to obtain by just having the session cookie from mod_auth_openidc module.

My problem is the following: When I call the the OIDCInfoHook with the id_token configured (the reverse proxy callback_url like http://service.domain?json=info), I just get the unsigned id_token token, which is useless for kubernetes authentication. Calling the info hook with the refresh token configured I can retrieve successfully the refresh token. With this token the identity server (WSO2) returns the id_token, a new access token and the next refresh token. Unfortunately, the mod_auth_openidc still has the old access_token and I need to map to the new the id_token to the old and new access token. Although it works after a fresh login, optaining the id_token doesn't work anymore after the session timeout (3600 s). In this state, I have to delete manually the session cookie in order to get a new login prompt.

I have two questions:

  1. Is there any other possibility to use oidc authentication with kubernetes that does not rely on the id_token, i.e. using one the openid connect flows as described in the spec? According to the openid connect spec, the id_token should not be send around and this method seems not to be one of the openid connect flows, I guess.

  2. Is there any other best practice way to integrate kubernetes into an existing openid connect based single sign on environment?

-- Werni
kubernetes
openid-connect
single-sign-on

1 Answer

12/9/2019

The common SSO solution for this kind of problems is to use Kubernetes OAuth2-Proxy, https://github.com/pusher/oauth2_proxy. You could either run the proxy in an ingress or in a side car container. If you have istio, you could also integrate Istio with your openid conenect provider.

-- Chunlong
Source: StackOverflow