Kube-apiserver and oidc

Jose_Gato_Luis · March 11, 2021, 1:24pm

Hi there,
I have a cluster deployed with rancher 2.0 and everything goes ok. I can configure my users and kubeconfigs to manage the cluster.
Now I would like to use an Oauth2 provider to give these users access to the cluster. After reading some documentation, I have my keycloak and client ready to be used by Kuberentes.
In theory I should make something like:

kube-apiserver  --oidc-issuer-url=KEYCLOAK_REALM_PROVIDER_URL  \
                          --oidc-client-id=Kubernetes  \
                          --oidc-username-claim=name \
                          --oidc-ca-file=/tmp/ca.pem

But I have this estrange error:

W0311 14:13:11.683745  165882 services.go:37] No CIDR for service cluster IPs specified. Default value which was 10.0.0.0/24 is deprecated and will be removed in future releases. Please specify it using --service-cluster-ip-range on kube-apiserver.
Error: error creating self-signed certificates: mkdir /var/run/kubernetes: permission denied

Why this error about creating a self-signed certificate?. The certificate I am using is an authorized one.

Jose_Gato_Luis · March 12, 2021, 1:40pm

ok, big mistake, kube-apiserver is not a command to interact with the kube-apiserver of your cluster. But I had that command in my computer (by mistake), and I thought I could use it to change the configuration of my Rancher Cluster.

So kube-apiserver is running inside one container deployed by rancher. How can I modify this to add these extra params:

--oidc-issuer-url=KEYCLOAK_REALM_PROVIDER_URL  \
                          --oidc-client-id=Kubernetes  \
                          --oidc-username-claim=name \
                          --oidc-ca-file=/tmp/ca.pem

superseb · March 14, 2021, 2:36pm

See Rancher Docs: Cluster Configuration

Jose_Gato_Luis · March 15, 2021, 12:56pm

thanks,
but there can I overwrite the command params, similar to this:

spec:
  containers:
  - command:
    - kube-apiserver
    - --authorization-mode=Node,RBAC
    - --advertise-address=172.17.17.101
    - --allow-privileged=true
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --disable-admission-plugins=PersistentVolumeLabel
    - --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --insecure-port=0
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --secure-port=6443
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    - --oidc-issuer-url=https://10.100.5.78:9443/oauth2/oidcdiscovery
    - --oidc-client-id=H1Vt_n8eRyKzu1EBzwfXVirQIfga
    - --oidc-ca-file=/etc/kubernetes/oidc-ca/yay.pem
    - --oidc-groups-claim=groups
    - --oidc-username-claim=sub

Is there any way, I can edit the manifest file in the host to modify that? to make the kube-apiserver command to be executed with some extra parameters?

superseb · March 15, 2021, 1:14pm

Yes the provided link contains links to examples, such as Rancher Docs: Extra Args, Extra Binds, and Extra Environment Variables

Jose_Gato_Luis · March 15, 2021, 1:50pm

ok, but not sure how I shouls use extraargs, I am trying:

extra_args:
- --oidc-issuer-url="https://keycloak.foo.bar/realm/realm-example"  
- --oidc-client-id="client-example"  
- --oidc-username-claim="name"

but then, if I inspect the kube-apiserver container, the command execution does not have this extra args.

Jose_Gato_Luis · March 15, 2021, 4:30pm

Ok, it worked in that way:

      extra_args:
        oidc-issuer-url: "https://keycloak.foo.bar/realm/realm-test"  
        oidc-client-id: "client_id"  
        oidc-username-claim: "email"

Is there any way of doing the same, but not using Rancher Dashboard? Something with commandline, kubectl?

mdmunazir · April 27, 2021, 11:36am

Hi Jose,
I am trying to configure keycloak for kubectl.
Can you please help me out how you solve this.

I am using Rancher 2.5

Topic		Replies	Views
Kubectl oidc-login to cluster with keycloak	0	485	April 27, 2021
Authorized cluster endpoint setup? Rancher	10	7946	May 8, 2020
Rancher 2.0 API Rancher 2.0 Tech Preview	0	2817	July 3, 2018
Unable to set up Keycloak authentication via OIDC Rancher	1	2573	July 8, 2021
Certificate problems with keycloak Rancher	5	2468	May 16, 2022

Kube-apiserver and oidc

Related topics