kubeadm: Clusters built with kubeadm don't support basic auth

From @kelseyhightower on October 25, 2016 18:15

Some people are having trouble authenticating to the Kubernetes dashboard when the cluster is built with kubeadm. Seems like the deployed api server does not support basic auth, which makes it impossible to hit the Dashboard UI without using kubectl proxy.

Copied from original issue: kubernetes/kubernetes#35536

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 35 (15 by maintainers)

Most upvoted comments

dex v2 is ready to go and I am sure @ericchiang and @rithujohn191 would be excited to support this happening. They can’t hack directly on this at the moment as they are super busy with Dex itself but the entire system is designed to run trivially as a deployment on top of Kubernetes and this is what we do for Tectonic.

+2
philips on Nov 22, 2016

@smarterclayton I don’t think anyone is talking about lock-in here, Dex is just built on top of the bog standard OIDC integration in API server and kubectl that went into 1.3.

@pires Dex backs by Kubernetes TPRs and we could add an etcd backend but I feel like using TPRs is more correct.

+1
philips on Nov 23, 2016

Couple of “paths of exploration”. Also there is Keystone, Keycloak, and IAM integrations to consider.

One really useful point is ensuring some authentication and authorization can be local to a cluster (to isolate failure domains), while still being federated meaningfully.

+1
smarterclayton on Nov 22, 2016

I think having a couple of exploration to go down here makes sense. Dex is decoupled from Kube, the OpenShift OAuth server is partially decoupled but also has some integrations I think will be important in the long run. Being able to credibly integrate auth doesn’t necessarily mean locking into one solution.

+1
smarterclayton on Dec 1, 2016

Why not? This is a deeper issue, but, at the end of the day, if you have direct unfettered access to etcd you own the cluster. This only gets harder with HA.

Being a password managing product moves us into the territory of an authentication provider and that’s not the kind of product that I want to be. I’d prefer to use an authentication provider to get identity information. I don’t think that kube’s mission should expand to providing authentication and identity management solutions as part of administering container engines.

Making it easy to use an existing authentication provider: definitely. Maybe even choosing one as a “simple” default: possibly. Providing it as an in-tree option backed in the same persistent storage as our container orchestration: I don’t think this is reasonable.

+1
deads2k on Nov 22, 2016
Read more comments on GitHub
← kubeadm: cir-socket flag for kubeadm init does not override config value
kubeadm: Concurrent CP join race condition for etcd join →