OIDC login

[CodeGlitcher]

HI
For v6 of kubernetes dashboard, we have a oauth2-proxy in front of the applicaties.
The proxy makes sure the user has logged in en passes the bearer token to the request to kubernetes dashboard application.
https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/README.md#authorization-header

We have tried to upgrade to v7, but many things have changed.
No matter what we do, we only get the default login screen.

we have tried:
with kong disabled.
point oauth2-proxy upstream to kubernetes-dashboard-web service.

with kong enabled:
point oauth2-proxy upgrade to kubernetes-dashboard-web service.
point oauth2-proxy upgrade to kong-proxy service.

The login flow still work, but the upstream only show the k8s login.

I did now see
Auth container
Authentication logic is now handled by the new dashboard auth container. Currently, it only exposes /login endpoint. We will also add support for OIDC with OAuth flow and /me endpoint in the future.
Added csrf-key argument - Base64 encoded random 256 bytes key. Can be loaded from CSRF_KEY environment variable.

Does this mean oidc is not yet supported for dashboard v7?

[mrled]

I'm having trouble with this too, with oauth2-proxy and kubernetes-dashboard 7.x. Once I log in to my OIDC provider and it redirects me back to kubernetes-dashboard, it shows the default login screen asking for a bearer token in an HTML form. I can see an authorization header that contains a bearer token, as well as an x-auth-request-email header containing my email address, in the response headers. What do I need to do to get OIDC working with the dashboard?

[floreks]

How did you configure everything? As long as the frontend gets Authorization: Bearer token header it should skip the login view.

[mrled]

Here's my configuration:

• Traefik IngressRoute that goes from Traefik Middleware to oauth2-proxy service
• Middleware that adds an Authorization header
• oauth2-proxy service with http://kubernetes-dashboard-kong-proxy set as the upstream

I'm using Dex as my OIDC provider, which is working, as this configuration redirects to Dex when not logged in. After logging in to Dex, it shows the dashboard bearer token HTML form as mentioned, and the response headers have an authorization header and an email header with the logged in user.

I'm using a Helm deployment of the dashboard with kong HTTP enabled.

I'm using this config, but I've scrubbed out some DNS names.

Manifest YAML

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`kubernetes.example.com`)
    kind: Rule
    services:
    - name: oauth2-proxy
      port: 80
    middlewares:
    - name: forward-auth-headers
      namespace: kubernetes-dashboard
  tls:
    secretName: cert-wildcard-backing-secret
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: forward-auth-headers
  namespace: kubernetes-dashboard
spec:
  headers:
    customRequestHeaders:
      Authorization: "Authorization"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: oauth2-proxy
  name: oauth2-proxy
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
        args:
        - --http-address=0.0.0.0:4180
        - --https-address=0.0.0.0:4443
        - --metrics-address=0.0.0.0:44180
        - --config=/etc/oauth2_proxy/oauth2_proxy.cfg
        - --standard-logging=true
        - --request-logging=true
        - --auth-logging=true
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              key: client-id
              name: oauth2-proxy-secret
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: client-secret
              name: oauth2-proxy-secret
        - name: OAUTH2_PROXY_COOKIE_SECRET
          valueFrom:
            secretKeyRef:
              key: cookie-secret
              name: oauth2-proxy-secret
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /ping
            port: http
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        ports:
        - containerPort: 4180
          name: http
          protocol: TCP
        - containerPort: 44180
          name: metrics
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /ready
            port: http
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 5
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 2000
          runAsNonRoot: true
          runAsUser: 2000
          seccompProfile:
            type: RuntimeDefault
        volumeMounts:
        - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg
          name: configmain
          subPath: oauth2_proxy.cfg
      terminationGracePeriodSeconds: 30
      volumes:
      - configMap:
          defaultMode: 420
          name: oauth2-proxy-cfg
        name: configmain
---
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app: oauth2-proxy
  name: oauth2-proxy-cfg
  namespace: kubernetes-dashboard
data:
  oauth2_proxy.cfg: |
    # Accept any emails passed to us by the auth provider
    email_domains = [ "*" ]
    # The kubernetes-dashboard service in the same namespace
    upstreams = [ "http://kubernetes-dashboard-kong-proxy" ]
    provider = "oidc"
    provider_display_name = "oidc provider"
    redirect_url = "https://kubernetes.example.com/oauth2/callback"
    oidc_issuer_url = "https://dex.example.com"
    scope = "openid email groups"
    cookie_secure = true
    cookie_httponly = true
    skip_provider_button = true
    session_store_type = "cookie"
    cookie_refresh = "15m"
    set_xauthrequest = true
    set_authorization_header = true
    set_basic_auth = false
    pass_access_token = true
    silence_ping_logging = true
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy
  namespace: kubernetes-dashboard
  labels:
    app: oauth2-proxy
spec:
  selector:
    app: oauth2-proxy
  type: ClusterIP
  ports:
  - name: http
    port: 80
    targetPort: 4180
    protocol: TCP
  - name: metrics
    port: 44180
    targetPort: 44180
    protocol: TCP

A screenshot of the dashboard bearer token form after logging in with dev tools open

[mrled]

Anything in particular I should look at? Or are there any known-working examples I could use to try to figure out what I've done wrong with this? Any help appreciated.

[CodeGlitcher]

I dont have a ready example available.
But in my setup I have oauth2 proxy configure with: pass_authorization_header="true".
So only the Authorization: Bearer token header should be passed.
I deployed the Kubernetes dashboard v7 with the example helm chart.
And then I tried different services as the upstream for the oauth2 proxy.
But from your reaction it is expected to work?

Do I then enable kong or not (still dont really get why it is needed) and with service I should use as the upstream?
Then I can setup a new test environment

[floreks]

Ideally, I think you would have ingress that exposes Dashboard and configure oauth2 upstream to point to the external ingress address. Then it should add the Authorization: Bearer <token> header and once the frontend sees it, it will use it and skip the login view.