Kubernetes Authentication using Dex and LDAP

You’re working with containers or orchestration environments, but that doesn’t mean that you want to manage user identities from your Kubernetes (k8s) cluster. Whether you’re a DevOps engineer or a software developer, you may have good reason to use an external source of identity for authentication instead.

By authenticating using an external source of identity, organizations can sync Kubernetes identities with their core credentials or simply use their identity provider to auth into K8s services. This streamlines access for users and enables IT to manage everything from one pane of glass. These external identity providers can range from standard directory services (e.g. LDAP) to social platforms leveraging OAuth such as Google.

In this article, we will briefly explain the integration paths and provide examples for integrating the Dex open source service with JumpCloud’s cloud-based LDAP service endpoint.    

Overview

Before we begin, the reader should familiarize themselves with two key external resources which will underpin this brief article. The first is related to Dex itself. Dex is an open source OIDC (OpenID Connect) authentication service launched by CoreOS. This service provides an essential abstraction layer between other services (e.g. an app, microservice or a Kubernetes cluster itself) and sources of identity such as LDAP, Google, Linkedin, etc.  

The second is a great piece by Medium author, Krishna, who was the inspiration for our piece and a deep dive on integrating a Kubernetes-based service with JumpCloud’s cloud-based LDAP service.

Configuring Kubernetes to LDAP

In Krishna’s article, he lays out an extremely simple model to follow. His tutorial, offered on his GitHub repo, “Kubernetes – LDAP authentication with Dex”, establishes a Kubernetes environment, lays down a simple app and associated services, “loginapp”, in addition to all of the Dex infrastructure required to integrate the app to authenticate with an LDAP service (JumpCloud in this case).

The simple interaction that is unpacked is generally, not precisely, as you see below in this sequence diagram:

This article will not serve as the instructions for building out Krishna’s demo environment. We assume the reader has the skills to do (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Greg Keller. Read the original post at: https://jumpcloud.com/blog/kubernetes-auth-dex-ldap/