How to Secure Your Kubernetes Cluster with OpenID Connect and RBAC

gary_r · April 6, 2023, 12:14am

Hi,

I have followed your instructions carefully. The last step “kubectl --user=oidc get nodes” failed with this error: “error: You must be logged in to the server (Unauthorized)”.

I can successfully run “kubectl oidc-login setup --oidc-issuer-url=https://dev-54891300.okta.com/oauth2/aus8znbrivtIvvUbe5d7 --oidc-client-id=<client_id>” and receive a claim as shown below. The necessary RBAC role and clusterrolebindings have been created. I’m stumped so any help is appreciated. This fails both on Linux and Windows machines.

Sample claim:
{
“sub”: “00u8znd93j05UO03W5d7”,
“ver”: 1,
“iss”: “https://dev-54891300.okta.com/oauth2/aus8znbrivtIvvUbe5d7”,
“aud”: “0oa8znhaqq3Lel6Wc5d7”,
“iat”: 1680739122,
“exp”: 1680742722,
“jti”: “ID.a_e5RgJZ3wKOg8GDMn2qfQZMNhMigu_vnGNL4E4zvCc”,
“amr”: [
“pwd”
],
“idp”: “00o86ydr2iCI2XyxZ5d7”,
“nonce”: “4pu2RGFN-cyPEmC9kwZLnc_G4WGfAt9R8QC1IBGF69M”,
“auth_time”: 1680738431,
“at_hash”: “zOalIT4_F5pa3IsGPlkitA”,
“groups”: [
“k8s-admins”
]
}

Post		Replies	Views
Secure Access to AWS EKS Clusters for Admins Developer Blog Comments	1	2913	January 3, 2024
OpenID Connect for User Authentication in ASP.NET Core Developer Blog Comments	10	3520	October 14, 2022
Build and Test Reactive Microservices with Spring Cloud Gateway Developer Blog Comments	60	6804	August 24, 2021
How does API Access Management work? Questions	2	4780	May 29, 2018
OpenID token based API access + custom login OAuth/OIDC	2	4031	March 11, 2020

How to Secure Your Kubernetes Cluster with OpenID Connect and RBAC

Related topics