OIDC login

[CodeGlitcher]

HI
For v6 of kubernetes dashboard, we have a oauth2-proxy in front of the applicaties.
The proxy makes sure the user has logged in en passes the bearer token to the request to kubernetes dashboard application.
https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/README.md#authorization-header

We have tried to upgrade to v7, but many things have changed.
No matter what we do, we only get the default login screen.

we have tried:
with kong disabled.
point oauth2-proxy upstream to kubernetes-dashboard-web service.

with kong enabled:
point oauth2-proxy upgrade to kubernetes-dashboard-web service.
point oauth2-proxy upgrade to kong-proxy service.

The login flow still work, but the upstream only show the k8s login.

I did now see
Auth container
Authentication logic is now handled by the new dashboard auth container. Currently, it only exposes /login endpoint. We will also add support for OIDC with OAuth flow and /me endpoint in the future.
Added csrf-key argument - Base64 encoded random 256 bytes key. Can be loaded from CSRF_KEY environment variable.

Does this mean oidc is not yet supported for dashboard v7?

[mrled]

I'm having trouble with this too, with oauth2-proxy and kubernetes-dashboard 7.x. Once I log in to my OIDC provider and it redirects me back to kubernetes-dashboard, it shows the default login screen asking for a bearer token in an HTML form. I can see an authorization header that contains a bearer token, as well as an x-auth-request-email header containing my email address, in the response headers. What do I need to do to get OIDC working with the dashboard?

[floreks]

How did you configure everything? As long as the frontend gets Authorization: Bearer token header it should skip the login view.

[mrled]

Here's my configuration:

• Traefik IngressRoute that goes from Traefik Middleware to oauth2-proxy service
• Middleware that adds an Authorization header
• oauth2-proxy service with http://kubernetes-dashboard-kong-proxy set as the upstream

I'm using Dex as my OIDC provider, which is working, as this configuration redirects to Dex when not logged in. After logging in to Dex, it shows the dashboard bearer token HTML form as mentioned, and the response headers have an authorization header and an email header with the logged in user.

I'm using a Helm deployment of the dashboard with kong HTTP enabled.

I'm using this config, but I've scrubbed out some DNS names.

Manifest YAML

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`kubernetes.example.com`)
    kind: Rule
    services:
    - name: oauth2-proxy
      port: 80
    middlewares:
    - name: forward-auth-headers
      namespace: kubernetes-dashboard
  tls:
    secretName: cert-wildcard-backing-secret
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: forward-auth-headers
  namespace: kubernetes-dashboard
spec:
  headers:
    customRequestHeaders:
      Authorization: "Authorization"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: oauth2-proxy
  name: oauth2-proxy
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
        args:
        - --http-address=0.0.0.0:4180
        - --https-address=0.0.0.0:4443
        - --metrics-address=0.0.0.0:44180
        - --config=/etc/oauth2_proxy/oauth2_proxy.cfg
        - --standard-logging=true
        - --request-logging=true
        - --auth-logging=true
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              key: client-id
              name: oauth2-proxy-secret
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: client-secret
              name: oauth2-proxy-secret
        - name: OAUTH2_PROXY_COOKIE_SECRET
          valueFrom:
            secretKeyRef:
              key: cookie-secret
              name: oauth2-proxy-secret
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /ping
            port: http
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        ports:
        - containerPort: 4180
          name: http
          protocol: TCP
        - containerPort: 44180
          name: metrics
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /ready
            port: http
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 5
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 2000
          runAsNonRoot: true
          runAsUser: 2000
          seccompProfile:
            type: RuntimeDefault
        volumeMounts:
        - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg
          name: configmain
          subPath: oauth2_proxy.cfg
      terminationGracePeriodSeconds: 30
      volumes:
      - configMap:
          defaultMode: 420
          name: oauth2-proxy-cfg
        name: configmain
---
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app: oauth2-proxy
  name: oauth2-proxy-cfg
  namespace: kubernetes-dashboard
data:
  oauth2_proxy.cfg: |
    # Accept any emails passed to us by the auth provider
    email_domains = [ "*" ]
    # The kubernetes-dashboard service in the same namespace
    upstreams = [ "http://kubernetes-dashboard-kong-proxy" ]
    provider = "oidc"
    provider_display_name = "oidc provider"
    redirect_url = "https://kubernetes.example.com/oauth2/callback"
    oidc_issuer_url = "https://dex.example.com"
    scope = "openid email groups"
    cookie_secure = true
    cookie_httponly = true
    skip_provider_button = true
    session_store_type = "cookie"
    cookie_refresh = "15m"
    set_xauthrequest = true
    set_authorization_header = true
    set_basic_auth = false
    pass_access_token = true
    silence_ping_logging = true
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy
  namespace: kubernetes-dashboard
  labels:
    app: oauth2-proxy
spec:
  selector:
    app: oauth2-proxy
  type: ClusterIP
  ports:
  - name: http
    port: 80
    targetPort: 4180
    protocol: TCP
  - name: metrics
    port: 44180
    targetPort: 44180
    protocol: TCP

A screenshot of the dashboard bearer token form after logging in with dev tools open

[mrled]

Anything in particular I should look at? Or are there any known-working examples I could use to try to figure out what I've done wrong with this? Any help appreciated.

[CodeGlitcher]

I dont have a ready example available.
But in my setup I have oauth2 proxy configure with: pass_authorization_header="true".
So only the Authorization: Bearer token header should be passed.
I deployed the Kubernetes dashboard v7 with the example helm chart.
And then I tried different services as the upstream for the oauth2 proxy.
But from your reaction it is expected to work?

Do I then enable kong or not (still dont really get why it is needed) and with service I should use as the upstream?
Then I can setup a new test environment

[floreks]

Ideally, I think you would have ingress that exposes Dashboard and configure oauth2 upstream to point to the external ingress address. Then it should add the Authorization: Bearer <token> header and once the frontend sees it, it will use it and skip the login view.

[cnwaldron]

Has anyone found a solution for this? I have oauth2-proxy working with the kubernetes dashboard with Kong enabled and ingress-nginx however I can't seem to get this to work when Traefik is the ingress controller.

[Javex]

I think I found a working solution, if it helps anyone. I was also struggling with the fact that my authentication attempts were always rejected, but my "regular" admin token worked. I believe the final culprit in my case (don't ask me why) was that I needed to point oauth2-proxy at the kong gateway, not at the individual services behind it. I'll share my full solution though, in case you have issues elsewhere:

oauth2_proxy.cfg

email_domains = [ "*" ]
reverse_proxy = true
ssl_upstream_insecure_skip_verify = true
upstreams = ["https://kubernetes-dashboard-kong-proxy.kubernetes-dashboard.svc.cluster.local:443"]
pass_authorization_header = true
provider = "oidc"
provider_display_name = "Authentik"
oidc_issuer_url = "https://auth.example.com/application/o/kubernetes-dashboard/"

Note here that I set the https URL and specified ssl_upstream_insecure_skip_verify = true. This was the final change that made it work.

Cluster Role Binding for user

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: User
  name: https://auth.example.com/application/o/kubernetes-dashboard/#<sub>
  apiGroup: rbac.authorization.k8s.io

Note that you need the full URL for the user here. I haven't done group based RBAC yet. The <sub> part at the end needs to be replaced with the sub value of your OIDC token.

HTTPRoute (Gateway API using Traefik)

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: dashboard
  namespace: kubernetes-dashboard
spec:
  parentRefs:
    - name: traefik-gateway
      namespace: traefik
  hostnames:
    - k8s-dashboard.example.com
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: oauth2-proxy
          port: 80

Kube API server args

    - --oidc-client-id=<iss>
    - --oidc-issuer-url=https://auth.example.com/application/o/kubernetes-dashboard/

Note that the issuer URL must match the ClusterRoleBinding and that <iss> needs to be the content of your OIDC JWT.

If you are troubleshooting this and can't get it to work, I suggest doing it piece by piece:

• Use private browser mode, start fresh every time or a cookie set by the dashboard might mess with your diagnosis.
• Make sure the token works at all, by using https://github.com/int128/kubelogin which runs locally. If you can't get that to work, fix it first. I highly recommend using the same OIDC provider for local auth here and setting two redirect URLs in your IdP (one pointing at http://localhost:8000).
• Use the OIDC login tool to get yourself a token on the terminal via kubectl oidc-login get-token. That way you can inspect the contents of the token and use it in later steps.
• Use kubectl port-forward -n kubernetes-dashboard svc/kubernetes-dashboard-kong-proxy 8443:443 to interact with the dashboard directly. Try both the working token you get from kubectl -n kubernetes-dashboard create token admin-user and the one for OIDC. If the regular admin token doesn't work then it's not the OIDC issue you need to fix.
• Use kubectl port-forward -n kubernetes-dashboard svc/oauth2-proxy 8080:80 to debug if it's the oauth proxy config (no reverse proxy in front). You need to allow another redirect URL in your IdP: http://localhost:8080/oauth2/callback. Also set redirect_url = "http://localhost:8080/oauth2/callback" in oauth2_proxy.cfg (or it will try https otherwise).
• Finally check again with the reverse proxy in front.
• Keep in mind that my issuer URL looks that way because I use Authentik. If you have a different IdP, your URL will look different, as issuer URLs aren't standardised.

Through all of this, using curl can be helpful on the console:

curl 'https://k8s-dashboard.example/api/v1/login' -H 'content-type: application/json; charset=utf-8' -H "X-CSRF-TOKEN: $(curl 'https://k8s-dashboard.example.com/api/v1/csrftoken/login' | jq .token -r)" -d '{"token": "<JWT TOKEN>"}'

You can point it at localhost, too, just make sure replace both URLs and insert the token you want to test. Look at the error message, if it says something about CSRF fix the header first.