jetstack / okta-kubectl-auth Goto Github PK

License: Apache License 2.0

Go 92.93% Makefile 7.07%

okta-kubectl-auth's Introduction

Okta auth plugin for kubectl

Setup

Okta

For instructions on how to set up an Okta application that uses the OIDC flow to expose user groups as JWT claims, refer to okta-setup.

okta-kubectl-auth

Once you have compiled and installed okta-kubectl-auth and created your Okta application we can use it to authenticate.

In the Okta console, browse to your application and on the General tab, copy your application's ClientID and Client secret
Browse to Security, API and copy the Issuer URI from your authorisation server

We can now run okta-kubectl-auth as follows:

okta-kubectl-auth --client-id=<client-id> --client-secret=<client-secret> --base-domain=<issuer-uri>

Follow the instructions printed by okta-kubectl-auth to complete the setup process.

`kubectl`

okta-kubectl-auth will output the required kubectl configuration after authentication.

`apiserver`

okta-kubectl-auth will output the required apiserver configuration flags after authentication. For further details, refer to the Kubernetes documentation here.

Add RBAC rules

For details on using RBAC resources in Kubernetes, refer to the Kubernetes documentation here. Note that if you configure the apiserver with the flags outputted by okta-kubectl-auth, the username and group attributes associated with request will be prepended with okta:.

Other resources

flow is based on example-app from dex
Okta docs on getting groups claim

okta-kubectl-auth's People

Contributors

Stargazers

Watchers

Forkers

dippynark baelish gilmoregrills newscorp-ghfb ik-security vangelovj barkayw rhardt-pivotal devopstoday11 isabella232 john-deng

okta-kubectl-auth's Issues

Support refresh tokens

We should be able to use refresh_token to renew the id_token using okta

That refresh token needs to be stored somewhere in the user/kube directory and should be updated with every refresh

0.12.0 panics after updating to OSX Monterey

Unsure if this is more widespread of if I was just doing something wrong, but I got go panics when trying to run the 0.12.0 darwin binary that looked like

`okta-kubectl-auth
fatal error: runtime: bsdthread_register error

runtime stack:
runtime.throw(0x144a235, 0x21)
/home/christian/.golang/go/src/runtime/panic.go:616 +0x81 fp=0x7ff7bfef66c8 sp=0x7ff7bfef66a8 pc=0x1028ef1
runtime.goenvs()
/home/christian/.golang/go/src/runtime/os_darwin.go:129 +0x83 fp=0x7ff7bfef66f8 sp=0x7ff7bfef66c8 pc=0x1026a73
runtime.schedinit()
/home/christian/.golang/go/src/runtime/proc.go:501 +0xd6 fp=0x7ff7bfef6760 sp=0x7ff7bfef66f8 pc=0x102b7e6
runtime.rt0_go(0x7ff7bfef6798, 0x1, 0x7ff7bfef6798, 0x0, 0x1000000, 0x1, 0x7ff7bfef7d48, 0x0, 0x7ff7bfef7d5a, 0x7ff7bfef7d75, ...)
/home/christian/.golang/go/src/runtime/asm_amd64.s:252 +0x1f4 fp=0x7ff7bfef6768 sp=0x7ff7bfef6760 pc=0x10512f4`

There was some discussion on other projects about this potentially being related to older versions of go and or anti-virus. After downloading the source and building a darwin binary locally it ran just fine so I assume there have been some dependency/language version updates since the last release in 2018. It might be worthwhile to get a new version of project released for ease of access in automated processes that just pull the pre-compiled binary.

Can't see groups from Kubernetes

Hello @simonswine ! Thanks for writing this tool. For some reason I can't see the groups on the Kubernetes side from okta, I've double check the configuration following your docs and everything looks fine. I've tested the response from Okta and I see the groups in there:

But when I try to run a kubectl command, the groups are not present:

kube-apiserver-ip-10-80-24-218.ec2.internal kube-apiserver I0116 20:11:31.023926 1 rbac.go:118] RBAC DENY: user "okta:[email protected]" groups ["system:authenticated"] cannot "list" resource "pods" in namespace "default"

If I create a clusterrolebinding using okta:[email protected] it works fine, but if I want to use a Group, it doesn't work. This makes sense, as Kubernetes can't see the groups I belong to:

# cluster-role.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: managers
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods", "namespaces"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
apiVersion: rbac.authorization.k8s.io/v1

# cluster-rolebinding-user.yaml
# This works fine

kind: ClusterRoleBinding
metadata:
  name: okta-pablo
subjects:
- kind: User
  name: okta:[email protected]
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: managers
  apiGroup: ""apiVersion: rbac.authorization.k8s.io/v1

# cluster-rolebinding-group.yaml
# this doesn't work

kind: ClusterRoleBinding
metadata:
  name: okta-sre
subjects:
- kind: Group
  name: okta:SRE
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: managers
  apiGroup: ""

Could it be related to #3 ?

if accessToken, ok := tokenExchange.Extra("token").(string); ok {

okta-kubectl-auth crashes without any parameters

We should verify that base-domain, client-id and client-secret are supplied and valid

./okta-kubectl-auth 
panic: Failed to query provider "": Get /.well-known/openid-configuration: unsupported protocol scheme ""

goroutine 1 [running]:
github.com/jetstack/okta-kubectl-auth/pkg/okta.(*Okta).provider(0xc420154000, 0xc420132340)
	/home/christian/.golang/packages/src/github.com/jetstack/okta-kubectl-auth/pkg/okta/okta.go:124 +0x20f
github.com/jetstack/okta-kubectl-auth/pkg/okta.(*Okta).offlineAsScope(0xc420154000, 0xc4200ca240)
	/home/christian/.golang/packages/src/github.com/jetstack/okta-kubectl-auth/pkg/okta/okta.go:139 +0x49
github.com/jetstack/okta-kubectl-auth/pkg/okta.(*Okta).Authorize(0xc420154000, 0x0, 0x834c50, 0x4)
	/home/christian/.golang/packages/src/github.com/jetstack/okta-kubectl-auth/pkg/okta/okta.go:176 +0xcc
github.com/jetstack/okta-kubectl-auth/cmd.glob..func1(0xa785e0, 0xa9b1a8, 0x0, 0x0, 0x0, 0x0)
	/home/christian/.golang/packages/src/github.com/jetstack/okta-kubectl-auth/cmd/root.go:29 +0x48
github.com/jetstack/okta-kubectl-auth/vendor/github.com/spf13/cobra.(*Command).execute(0xa785e0, 0xc4200a6190, 0x0, 0x0, 0xa785e0, 0xc4200a6190)
	/home/christian/.golang/packages/src/github.com/jetstack/okta-kubectl-auth/vendor/github.com/spf13/cobra/command.go:756 +0x468
github.com/jetstack/okta-kubectl-auth/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xa785e0, 0x19, 0xc42006ff58, 0x75be71)
	/home/christian/.golang/packages/src/github.com/jetstack/okta-kubectl-auth/vendor/github.com/spf13/cobra/command.go:846 +0x30a
github.com/jetstack/okta-kubectl-auth/vendor/github.com/spf13/cobra.(*Command).Execute(0xa785e0, 0xc420096058, 0x0)
	/home/christian/.golang/packages/src/github.com/jetstack/okta-kubectl-auth/vendor/github.com/spf13/cobra/command.go:794 +0x2b
github.com/jetstack/okta-kubectl-auth/cmd.Execute()
	/home/christian/.golang/packages/src/github.com/jetstack/okta-kubectl-auth/cmd/root.go:39 +0x2d
main.main()
	/home/christian/.golang/packages/src/github.com/jetstack/okta-kubectl-auth/main.go:8 +0x20