This deployment follows Dex by CoreOS & Kubernetes Documentations:

• Kubernetes OIDC Doc
• Dex by CoreOS
• Login App

• DNS entries: (Since this configuration uses NodePort, these can be CNAMEs to your kubernetes nodes)

  • dex-k8s.example.org --> Dex OIDC provider
  • login-k8s.example.org --> Custom Login Application
  • dashboard-k8s.example.org --> Custom Login to kubernetes dashboard

• Kubernetes cluster available with the following requirements:

  • RBAC enabled
  • OIDC authentication enabled. API server configuration:

    • --oidc-issuer-url=https://dex.k8s.example.com/dex: External Dex endpoint

    • --oidc-client-id=loginapp: ID for our Login Application

    • --oidc-ca-file=/etc/kubernetes/ssl/ca.pem: CA file of root certificate with intermediate servers if they exist. This file should be accessible from all kubernetes apiservers.

    • --oidc-username-claim=name: Map to nameAttr Dex configuration. This will be used by Kubernetes RBAC to authorize users based on their name.

    • --oidc-groups-claim=groups: This will be used by Kubernetes RBAC to authorize users based on their groups.

    • --oidc-username-prefix: Prefix prepended to username claims to prevent clashes with existing names (such as system: users). For example, the value oidc: will create usernames like oidc:jane.doe. If this flag isn’t provided and --oidc-user-claim is a value other than email the prefix defaults to ( Issuer URL )# where ( Issuer URL ) is the value of --oidc-issuer-url. The value - can be used to disable all prefixing.

    • --oidc-groups-prefix:Prefix prepended to group claims to prevent clashes with existing names (such as system: groups). For example, the value oidc: will create group names like oidc:engineering and oidc:infra

    • You can add OIDC settings to kube-apiserver.yaml.

• An available LDAP server

• Create the auth namespace:

kubectl create ns auth

• Create self-signed SSL certs and secrets (make sure to update alt_names to match your domain)

./gencert.sh
kubectl create secret tls login.tls --cert=ssl/cert.pem --key=ssl/key.pem -n auth
kubectl create secret tls dex.tls --cert=ssl/cert.pem --key=ssl/key.pem -n auth

• Create resources:

We will use Kubernetes Custom Resource Definitions (https://kubernetes.io/docs/concepts/api-extension/custom-resources/) as Dex storage backend.

kubectl create -f dex-crd.yml

• Create Dex resources:

# Dex configuration
kubectl create -f dex-cm.yml
# Dex service
kubectl create -f dex-ing-svc.yml
# Dex deployment
kubectl create -f dex-deploy.yml

• Create a LoginApp resources:

# CA ( ca.pem generated by gencert.sh) configmap
kubectl create -f ca-cm.yml
# Login App configuration
kubectl create -f loginapp-cm.yml
# Login App service
kubectl create -f loginapp-ing-svc.yml
# Login App Deployment
kubectl create -f loginapp-deploy.yml

Now assuming that you setup the DNS, this should work: try https://login.k8s.example.org:32002, login and retrieve k8s configuration.

• Create RBAC resource (assgin a group called "admins" cluster admin role):

kubectl create -f rbac.yml

Now copy paste the returned ~/.kube/config from loginapp and try:

kubectl get po
NAME                        READY     STATUS    RESTARTS   AGE
dex-6f6568d499-m89z6        1/1       Running   0          7m
loginapp-6474748f4b-gb5kb   1/1       Running   0          8m
loginapp-6474748f4b-prq25   1/1       Running   0          8m
loginapp-6474748f4b-vnvnb   1/1       Running   0          8m

You can also use id_token for signing on the k8s dashboard

kubectl -n=auth create -f keycloak-proxy-deploy.yaml
kubectl -n=auth create -f keycloak-proxy-svc.yaml 

kubectl -n=auth create -f kubernetes-dashboard-secure-SA.yaml
kubectl -n=auth create -f kubernetes-dashboard-secure-role.yaml
kubectl -n=auth create -f kubernetes-dashboard-secure-rolebinding.yaml 
kubectl -n=auth create -f kubernetes-dashboard-secure-deploy.yaml
kubectl -n=auth create -f kubernetes-dashboard-secure-svc.yaml

kubectl -n=auth create -f ingress-dashboard.yaml
kubectl -n=auth create -f ingress-rules.yaml