In the 1.3 release of Kubernetes, there are several features that ease a lot of toil that can come from administering a Kubernetes cluster. Two that stand out are the introduction of OpenID Connect (OIDC) as an authentication strategy, and Role Based Access-Control (RBAC) as an authorization plugin.
Below we'll walk through a short example of using RBAC to limit permissions, and using Google as an Identity Provider for OpenID Connect to authenticate users.
Role Based Access-Control
Taking advantage of Role Based Access-Control is a great way to lock down non-administrative and user and service accounts to have only the permissions that are required and reduce the damage of potential breaches.
As an example, say you have a namespace called web-app, and you have deployments you want managed by Jenkins, and you don't want Jenkins to have administrative access over your cluster.
With the following configuration, you could limit the Kubernetes permissions automatically granted to your Jenkins workers to only "deployments" objects in the web-app namespace, and access to the /version on the Kubernetes api server.
OpenID Connect Authentication
If you are an administrator of a Kubernetes cluster and you have coworkers who need access to Kubernetes, you are most likely creating x509 certificates for access, using a static token CSV file, or static password CSV file. If you're using one of the last two options, that means you are restarting the server whenever adding, removing, or modifying a user or password.
The Kubernetes documentation (as of 1.3) mentions using OpenID Connect Tokens for cluster access, but it does not provide much help on implementing it with any specific Identity Provider. One provider mentioned in the docs is Google, so here is an example of using Google as your Identity Provider.
First you must create an project in the Google Cloud Console, and add an OAuth 2.0 credential to it. You can generally follow this guide, but make sure to not create credentials for a web application. You must select "Other" as the application type.
When the credentials are created, you can download it as a JSON file, this is an easier way to manage the client-secret and client-id. After the credential is created, you'll need to add the following flags and restart your kube-apiserver.
The setup for users to get the OpenID Connect tokens is a bit tedious, so we created a small k8s-oidc-helper utility to correctly fetch the tokens. All a user needs to do is give the tool the application credentials you received from Google, and it will open the browser to the OAuth approval page.
Once approved, Google will supply a code that the utility will use to retrieve an id-token and refresh-token from Google. The configuration that kubectl requires will be printed to the terminal. Add this to your ~/.kube/config file and authenticate to Kubernetes!
