1

I've a Kubernetes deployment on Azure (AKS) and I also deployed the k8s dashboard.

I've connected the k8s deployment to our Azure Active Directory (AAD) so we can use the kubectl command with our AAD login (steps here: https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration-cli).

I also want to be able to authenticate the dashboard through AAD. I deployed pusher oauth2_proxy (https://github.com/pusher/oauth2_proxy) in front of my server to achieve this.

My problem is: I can give kubernetes dashboard service account admin-rights and use that token to authenticate. This means that everyone who authenticates against our AD will get full access rights. But, I need to be able to filter permissions depending on the user logged in. In oauth2_proxy, there is a flag --pass-authorization-header (which adds "Authorization: Bearer TOKEN" to the headers) but it seems that you can only use a service account token in the dashboard and not user tokens.

Is there any way to work around this?

Matthias
  • 11
  • 1

1 Answers1

0

I think following approach might work.

Create a basic group and add members using Azure Active Directory on the Azure part.

As for Kubernetes part, you should be using RBAC for Control access to cluster resources using role-based access control and Azure Active Directory identities in Azure Kubernetes Service.

You will be able to limit each groups to desired namespace or certain actions like only watch.

Here is a nice example of using External OAUTH Authentication with Kuberetes.

Crou
  • 714
  • 3
  • 9
  • I tried with this. I was able to login, but the problem is that I can't select the rights per user. I can select same permissions for everyone with service account, but not put permissions per user based on the token generated by the proxy. – Matthias Mar 02 '20 at 15:01
  • You need to create groups and set permissions per group, not per user. – Crou Mar 02 '20 at 15:06