github/kubelogin
1
0
Fork 0
mirror of https://github.com/int128/kubelogin.git synced 2026-05-08 17:06:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d4b5e511bbbb7cf08942fa961372afc8d6d6d505
kubelogin/docs/google.md
Hidetake Iwata 7e1e6a096b Refactor docs
2018-10-15 15:52:52 +09:00

2.7 KiB
Raw Blame History

Getting Started with Google Identity Platform

Prerequisite

  • You have a Google account.
  • You have the Cluster Admin role of the Kubernetes cluster.
  • You can configure the Kubernetes API server.
  • kubectl and kubelogin are installed to your computer.

1. Setup Google API

Open Google APIs Console and create an OAuth client with the following setting:

  • Application Type: Other

2. Setup Kubernetes API server

Configure your Kubernetes API Server accepts OpenID Connect Tokens.

kops

If you are using kops, run kops edit cluster and append the following settings:

spec:
  kubeAPIServer:
    oidcIssuerURL: https://accounts.google.com
    oidcClientID: YOUR_CLIENT_ID.apps.googleusercontent.com

3. Setup Kubernetes cluster

Here assign the cluster-admin role to you.

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: oidc-admin-group
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: User
  name: https://accounts.google.com#1234567890

You can create a custom role and assign it as well.

4. Setup kubectl

Configure kubectl for the OIDC authentication.

kubectl config set-credentials NAME \
  --auth-provider oidc \
  --auth-provider-arg idp-issuer-url=https://accounts.google.com \
  --auth-provider-arg client-id=YOUR_CLIENT_ID.apps.googleusercontent.com \
  --auth-provider-arg client-secret=YOUR_CLIENT_SECRET

5. Run kubelogin

Run kubelogin.

% kubelogin
2018/08/10 10:36:38 Reading .kubeconfig
2018/08/10 10:36:38 Using current context: hello.k8s.local
2018/08/10 10:36:41 Open http://localhost:8000 for authorization
2018/08/10 10:36:45 GET /
2018/08/10 10:37:07 GET /?state=...&session_state=...&code=ey...
2018/08/10 10:37:08 Updated .kubeconfig

Now your ~/.kube/config should be like:

users:
- name: hello.k8s.local
  user:
    auth-provider:
      config:
        idp-issuer-url: https://accounts.google.com
        client-id: YOUR_CLIENT_ID.apps.googleusercontent.com
        client-secret: YOUR_SECRET
        id-token: ey...       # kubelogin will update ID token here
        refresh-token: ey...  # kubelogin will update refresh token here
      name: oidc

Make sure you can access to the Kubernetes cluster.

% kubectl get nodes
NAME                                    STATUS    ROLES     AGE       VERSION
ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
Reference in New Issue View Git Blame Copy Permalink