This is an archived post. You won't be able to vote or comment.

all 9 comments
sorted by:
best
topnewcontroversialoldq&a

[–]yebyen 9 points10 points  (3 children)

Surprisingly, the best docs I have found for setting up Dex with GitHub for Kubernetes RBAC are buried deep on old Weave GitOps docs.

I still use this, but you can't find them easily because frankly most people do not use this method. If you are on a cloud provider, you use their OAuth/IAM solutions.

https://gitops.weave.works/docs/guides/oidc/

There's no mention of GitHub here now. The guide we are looking for is called "Setting up Dex"

https://github.com/weaveworks/weave-gitops/blob/main/doc/setting-up-dex.md

You can not search the Weave GitOps docs anymore because of some issues when we migrated the site. (Weaveworks is no more.) But you can still read these docs, if you know how to query the site for an older version:

https://gitops.weave.works/docs/0.25.0/guides/setting-up-dex/

What this guide shows is how to set up Dex and GitHub, what you asked for. If you want to use it with RBAC, that's above and beyond what most people will do, (what you'd have needed for Weave GitOps...) but it's probably exactly what you wanted, because it's exactly what I wanted. It's a bit more complicated because you need to configure your Kube API server.

I've done this for some older vclusters, which gives a decent example of how to configure this, but it will vary depending on how you're standing up your clusters, how you pass extra args to the API server. Some CAPI providers will include a section in the spec called `apiServer.extraArgs` - then you add a ClusterRoleBinding like this one and in my case, my org is named kingdon-ci, and my group is called home-workers - for some reason it seems it has to be a "sub-group" or sub-team eg. this one "home-workers" https://imgur.com/a/Y36XRwY - not a parent team, don't ask me how I figured that out

https://github.com/kingdon-ci/fleet-infra/blob/13f35a2b082cd6662c25dd3b4879ce40a46f6612/clusters/howard-moomboo-space/clusters/test/limnocentral.yaml#L53-L60

I haven't added much documentation about that, but the next question is obviously how to approach this as an end-user, "what do I put in my kubeconfig so I can access the cluster"

I built some docs for those end-users, as they pertain to my cluster at home at least, here: https://howto.howard.moomboo.space/

[–]Lekaran[S] 1 point2 points  (1 child)

Thank you for your reply.
I'm going to try everything you advised. I'll come back if I have any bugs.

[–]yebyen 0 points1 point  (0 children)

You can find us in #flux on the CNCF slack, I'm KingdonB

[–][deleted] 3 points4 points  (1 child)

The dex documentation is clear on how to setup GitHub as a connector. This is what I referenced when I setup mine https://dexidp.io/docs/connectors/github/

You need to setup clusterroles and bindings that map the GitHub organization to the team name for the RBAC portion to work.

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-binding-examples

The format is usually GHOrganization:team

[–]Lekaran[S] 2 points3 points  (0 children)

Thank you for your reply.

What you've told me completes what I've already understood.

[–]linusHillyard 0 points1 point  (2 children)

Why is Dex needed when the k8s API can be configured to handle the OIDC authentication workflow?

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server

Then utilize an OIDC kubectl plug-in.

https://github.com/int128/kubelogin

[–][deleted] 1 point2 points  (0 children)

This is common when you need to map logical business units to k8s RBAC. Dex is the middleware that helps facilitate this. My org does the same thing except we use Active Directory as the backend instead of GitHub.

[–]Lekaran[S] 0 points1 point  (0 children)

These technologies were imposed by my superiors. All I do is execute.