Skip to content
/ kubernetes-ldap Public
forked from rrmckinley/kubernetes-ldap

Lightweight Directory Access Protocol (LDAP) plug-in for Kubernetes™

kismatic.io

License

Apache-2.0 license
4 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

alexbrand/kubernetes-ldap

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

123 Commits
auth
auth
 
 
cmd
cmd
 
 
ldap
ldap
 
 
token
token
 
 
vendor
vendor
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.markdown
CONTRIBUTING.markdown
 
 
CONTRIBUTORS.markdown
CONTRIBUTORS.markdown
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.markdown
README.markdown
 
 
glide.lock
glide.lock
 
 
glide.yaml
glide.yaml
 
 

Repository files navigation

kubernetes-ldap

Lightweight Directory Access Protocol (LDAP) for Kubernetes™

Getting Started

This project provides an LDAP authentication webhook for Kubernetes. The current implementation exposes two endpoints:

  • /authenticate: Handles token authentication requests coming from Kubernetes
  • /ldapAuth: Issues token to be used when interacting with the Kubernetes API

Pre-requisites

  • Certificate and corresponding private key for the webhook server
  • Certificate and corresponding private key for the Kubernetes webhook client

Starting the webhook server

Run the following to start the server

kubernetes-ldap --ldap-host ldap.example.com \
    --ldap-base-dn "DC=example,DC=com" \
    --tls-cert-file pathToCert \
    --tls-private-key-file pathToKey \
    --ldap-user-attribute userPrincipalName

Configuring the Kubernetes Webhook

Create a yaml file to define the webhook:

# clusters refers to the remote service.
clusters:
  - name: ldap-auth-webhook
    cluster:
      certificate-authority: ~/ldap.example.com.cert      # CA for verifying the remote service.
      server: https://ldap-webhook:4000/authenticate # URL of remote service to query. Must use 'https'.

# users refers to the API Server's webhook configuration.
users:
  - name: ldap-auth-webhook-client
    user:
      client-certificate: ~/k8s-webhook-client.cert # cert for the webhook plugin to use
      client-key: ~/k8s-webhook-client.key          # key matching the cert

# kubeconfig files require a context. Provide one for the API Server.
current-context: webhook
contexts:
- context:
    cluster: ldap-auth-webhook
    user: ldap-auth-webhook-client
  name: webhook

Set the following flags to configure the authentication webhook when starting the Kubernetes API Server:

--authentication-token-webhook-cache-ttl=30m0s # Set appropriate cache TTL 
--authentication-token-webhook-config-file=/root/webhook-config.yaml # Path to file where the webhook is defined

Authenticating and using kubectl

Once the webhook and API servers are running, we are ready to authenticate using LDAP.

  1. Obtain an authentication token from the webhook server
AUTH_TOKEN=$(curl https://ldap-webhook:4000/ldapAuth --user [email protected]:password)
  1. Store the auth token in kubectl's configuration
kubectl config set-credentials alice --token=$AUTH_TOKEN
  1. Start using kubectl with the authenticated user
kubectl -s="https://localhost:6443" --user=alice get nodes

About

Lightweight Directory Access Protocol (LDAP) plug-in for Kubernetes™

kismatic.io

Resources

Readme

License

Apache-2.0 license
Activity

Stars

4 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 96.3%
  • Makefile 3.7%