How do I update an on-premise Kubernetes API server to enable OIDC with Dex?
I installed Dex + Active Directory Integration few months ago on a cluster installed by kubeadmn .
Let's assume that Dex is now running and it can be accessible thruhttps://dex.example.com .
In this case,..
Enabling ODIC at the level of API server has 3 steps :
These steps have to be done on each of your Kubernetes master nodes.
1- SSH to your master node.
$ ssh root@master-ip2- Edit the Kubernetes API configuration.
Add the OIDC parameters and modify the issuer URL accordingly.
$ sudo vim /etc/kubernetes/manifests/kube-apiserver.yaml... command: - /hyperkube - apiserver - --advertise-address=x.x.x.x... - --oidc-issuer-url=https://dex.example.com # <-- 🔴 Please focus here - --oidc-client-id=oidc-auth-client # <-- 🔴 Please focus here - --oidc-username-claim=email # <-- 🔴 Please focus here - --oidc-groups-claim=groups # <-- 🔴 Please focus here...3- The Kubernetes API will restart by itself.
I recommend also to check a full guide like this tuto.
The OIDC flags are for Kubernetes API Server. You have not mentioned how you have installed Kubernetes on prem. Ideally you should have multiple master nodes fronted by a LoadBalancer.
So you would disable traffic to one master node from the loadbalancer and login to that master node and edit the manifest of api server in /etc/kubernetes/manifests and add the OIDC flags. Once you change the manifest api server pod will be restarted automatically.
You repeat the same process for all master nodes and since at any given point in time you have at least one master node available there should not be any downtime.