Everyone can contribute! Learn DevOps and Cloud Native in our cafe ☕
Technology is moving fast in the DevOps and Cloud Native community.
Join the conversation and add your thoughts, tips, experiences, stories.
"Everyone Can Contribute" is inspired by GitLab's mission.
18. Cafe: Kubernetes authentication and authorization with user management and RBAC
Highlights
We are learning how to deploy Kubernetes into Hetzner cloud in this series:
- Provisioned the server and agent VMs with Terraform and Ansible in the first session
- Deployed k3s last week
- Learned about pods and the Hetzner load balancer
- Ingress controller for load balancer cost savings
We’ll take a break from deploying a Kubernetes cluster this week, and get to know Kubernetes user authentication and authorization from Niclas Mietz.
- Authentication with kubectl in general
- Creating X509 Client Cert for Authentication
- Use of the X509 Client Cert with kubectl
- Role based access control (RBAC) with Kubernetes docs
Clusterprefix for role is cluster wide, a role binding is exclusive for a namespace, docs.- Switching the Authentication Strategy from X509 Client Cert to OpenID Connect
- Using OpenID tokens, and using Identity Providers (IDPs), docs
- Using GitLab as OpenID Connect identity provider (IdP)
- Kubernetes Authentication Through Dex as OpenID Proxy,
- Start to configure the K3s API Server of k3s with
--oidcflags - Steps for Repeating
Next week, we’ll look into:
- OpenID Connection of the API Server with Dex and GitLab, continued.
- Hetzner storage volumes
Future ideas touch monitoring with Prometheus, GitLab CI/CD deployments and much more :)
Insights
Recording
Enjoy the session! 🦊
Written by: Michael Friedrich