{"id":26088778,"url":"https://github.com/gardener/oidc-webhook-authenticator","last_synced_at":"2025-03-17T15:12:28.235Z","repository":{"id":38203757,"uuid":"342268333","full_name":"gardener/oidc-webhook-authenticator","owner":"gardener","description":"Kubernetes Webhook Authenticator that allows for dynamic registration of OpenID Connect providers","archived":false,"fork":false,"pushed_at":"2025-02-24T22:51:41.000Z","size":632,"stargazers_count":54,"open_issues_count":9,"forks_count":16,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-03-09T08:13:24.922Z","etag":null,"topics":["authentication","authenticator","controller","crd","k8s","kubernetes","oidc","openid-connect","webhook"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gardener.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-02-25T14:19:26.000Z","updated_at":"2025-03-08T08:10:53.000Z","dependencies_parsed_at":"2023-11-13T13:25:42.066Z","dependency_job_id":"4e2ef751-b83c-4a5a-bb4b-364964734198","html_url":"https://github.com/gardener/oidc-webhook-authenticator","commit_stats":null,"previous_names":[],"tags_count":33,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gardener%2Foidc-webhook-authenticator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gardener%2Foidc-webhook-authenticator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gardener%2Foidc-webhook-authenticator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gardener%2Foidc-webhook-authenticator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gardener","download_url":"https://codeload.github.com/gardener/oidc-webhook-authenticator/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244056425,"owners_count":20390719,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authenticator","controller","crd","k8s","kubernetes","oidc","openid-connect","webhook"],"created_at":"2025-03-09T08:13:31.397Z","updated_at":"2025-03-17T15:12:28.210Z","avatar_url":"https://github.com/gardener.png","language":"Go","readme":"# OpenID Connect Webhook Authenticator for Kubernetes\n[![REUSE status](https://api.reuse.software/badge/github.com/gardener/oidc-webhook-authenticator)](https://api.reuse.software/info/github.com/gardener/oidc-webhook-authenticator)\n\n\n## Table of content\n\n- [OpenID Connect Webhook Authenticator for Kubernetes](#openid-connect-webhook-authenticator-for-kubernetes)\n - [Table of content](#table-of-content)\n - [Overview](#overview)\n - [Background](#background)\n - [Use cases](#use-cases)\n - [How it works](#how-it-works)\n - [Registration of a new OpenID Connect provider](#registration-of-a-new-openid-connect-provider)\n - [End-user authentication via new OpenIDConnect IDP](#end-user-authentication-via-new-openidconnect-idp)\n - [Docker images](#docker-images)\n - [Local development](#local-development)\n\n## Overview\n\nThe OpenID Connect Webhook Authenticator allows Kubernetes cluster administrators to dynamically register new OpenID Connect providers in their clusters to use for kube-apiserver authentication.\n\n\u003e Note: This repository still in `alpha` stage and in active development. It should not be used in production. The API can change without any backwards compatibility.\n\n## Background\n\nIn Kubernetes, only a single OpenID Connect authenticator can be used for end-users to authenticate.\n\nTo workaround this limitations, a [Webhook Token Authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication) can be configured. The Kube APIServer then sends the [Bearer Tokens (id_token)](https://tools.ietf.org/html/rfc6750#section-2.1) to an external webhook for validation:\n\n```json\n{\n \"apiVersion\": \"authentication.k8s.io/v1beta1\",\n \"kind\": \"TokenReview\",\n \"spec\": {\n \"token\": \"(BEARERTOKEN)\"\n }\n}\n```\n\nWhere upon verification, the remote webhook returns the identity of the user (if authentication succeeds):\n\n```json\n{\n \"apiVersion\": \"authentication.k8s.io/v1beta1\",\n \"kind\": \"TokenReview\",\n \"status\": {\n \"authenticated\": true,\n \"user\": {\n \"username\": \"janedoe@example.com\",\n \"uid\": \"42\",\n \"groups\": [\n \"developers\",\n \"qa\"\n ],\n \"extra\": {\n \"extrafield1\": [\n \"extravalue1\",\n \"extravalue2\"\n ]\n }\n }\n }\n}\n```\n\nThis repository is the out-of tree implementation of [Dynamic Authentication KEP](https://github.com/kubernetes/enhancements/pull/1689).\n\n## Use cases\n\n- Establish trust relationship between different Kubernetes clusters using [Service Account Token Volume Projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) and [Service Account Issuer Discovery](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery).\n- Offer cluster admins the option to dynamically allow users from other OIDC IDPs to authenticate against their `kube-apiserver`.\n\n## How it works\n\nThis webhook is a Kubernetes controller that acts on `OpenIDConnect` resources e.g:\n\n```yaml\napiVersion: authentication.gardener.cloud/v1alpha1\nkind: OpenIDConnect\nmetadata:\n name: foo\nspec:\n issuerURL: https://foo.bar\n clientID: some-client-id\n usernameClaim: email\n usernamePrefix: \"test-\"\n groupsClaim: groups\n groupsPrefix: \"baz-\"\n supportedSigningAlgs:\n - RS256\n requiredClaims:\n baz: bar\n caBundle: LS0tLS1CRUdJTiBDRVJU...base64-encoded CA certs for issuerURL.\n```\n\n\u003e Note: The fields in the specification corresponds to the [kube-apiserver OIDC flags](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server).\n\n### Registration of a new OpenID Connect provider\n\nThe flow is following:\n\n1. Admin adds a new `OpenIDConnect` to the cluster.\n1. The webhook controller watches for changes on this resource and does [OIDC discovery](https://openid.net/specs/openid-connect-discovery-1_0.html). The [OIDC provider's configuration](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse) has to be accessible under the `spec.issuerURL` with a [well-known path (.well-known/openid-configuration)](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig).\n1. The webhook controller uses the `jwks_uri` obtained from the OIDC providers configuration, to fetch the OIDC provider's public keys from that endpoint.\n1. The webhook controller uses those keys, issuer, client_id and other settings to add OIDC authenticator to a in-memory list of [Token Authenticators](https://pkg.go.dev/k8s.io/apiserver/pkg/authentication/authenticator?tab=doc#Token).\n\nAn overview of the controller:\n\n![alt text](docs/registration.svg \"Authentication with OIDC webhook\")\n\n### End-user authentication via new OpenIDConnect IDP\n\nWhen a user wants to authenticate to the `kube-apiserver` via this new Custom OpenIDConnect IDP:\n\n1. The user authenticates in Custom IDP.\n1. `id_token` is obtained from Custom IDP (e.g. `ddeewfwef...`).\n1. The user uses `id_token` to perform an API call to Kube APIServer.\n1. As the `id_token` is not matched by any build-in or configured authenticators in the Kube APIServer, it is send to OpenID Connect Webhook Authenticator for validation.\n\n ```json\n {\n \"TokenReview\": {\n \"kind\": \"TokenReview\",\n \"apiVersion\": \"authentication.k8s.io/v1\",\n \"spec\": {\n \"token\": \"ddeewfwef...\"\n }\n }\n }\n ```\n\n1. The webhook then iterates over all registered `OpenIDConnect` Token authenticators and tries to validate the token.\n1. Upon a successful validation it returns the `TokenReview` with user, groups and extra parameters:\n\n ```json\n {\n \"TokenReview\": {\n \"kind\": \"TokenReview\",\n \"apiVersion\": \"authentication.k8s.io/v1\",\n \"spec\": {\n \"token\": \"ddeewfwef...\"\n },\n \"status\": {\n \"authenticated\": true,\n \"user\": {\n \"username\": \"test-admin@example.com\",\n \"groups\": [\n \"test-some-group\"\n ],\n \"extra\": {\n \"gardener.cloud/authenticator/name\": [\n \"gardener\"\n ],\n \"gardener.cloud/authenticator/uid\": [\n \"e5062528-e5a4-4b97-ad83-614d015b0979\"\n ]\n }\n }\n }\n }\n }\n ```\n\nIt adds the following extra information, that can be used by custom authorizers later on:\n\n- `gardener.cloud/authenticator/name` contains the name of the `OpenIDConnect` authenticator which was used.\n- `gardener.cloud/authenticator/uid` contains the UID of the `OpenIDConnect` authenticator which was used.\n\n## Docker images\n\nDocker images are available [here](https://console.cloud.google.com/gcr/images/gardener-project/EU/gardener/oidc-webhook-authenticator) or you can choose to pull the latest pre-release version with the following command:\n\n```text\ndocker pull europe-docker.pkg.dev/gardener-project/public/gardener/oidc-webhook-authenticator:latest\n```\n\n## Local development\n\nFor this setup the following components are needed:\n\n- [minikube](https://minikube.sigs.k8s.io/docs/start/)\n\nThe API server is started with `--authentication-token-webhook-config-file` with `kubeconfig` file pointing to the Webhook.\n\n```shell\nmkdir -p ~/.minikube/files/var/lib/minikube/certs\ncp config/samples/minikube-webhook-kubeconfig.yaml ~/.minikube/files/var/lib/minikube/certs/minikube-webhook-kubeconfig.yaml\n\nminikube start \\\n --extra-config=apiserver.authentication-token-webhook-config-file=/var/lib/minikube/certs/minikube-webhook-kubeconfig.yaml \\\n --extra-config=apiserver.authentication-token-webhook-cache-ttl=10s\n```\n\nTo allow easy communication between the `kube-apiserver` and the `oidc-webhook-authenticator` minikube IP is added as `control-plane.minikube.internal` in `/etc/hosts`\n\n```shell\nsudo sed -ie '/control-plane.minikube.internal/d' /etc/hosts\necho \"$(minikube ip) control-plane.minikube.internal\" | sudo tee -a /etc/hosts\n```\n\nAdd the CRD:\n\n```shell\nkubectl apply -f config/crd/bases/authentication.gardener.cloud_openidconnects.yaml\n```\n\nBuild the image, so it's accessible by `minikube`:\n\n```shell\nminikube image build -t oidc-webhook-authenticator .\n```\n\nDeploy the oidc webhook authenticator.\n\n```shell\nkubectl apply -f config/samples/deployment.yaml\n```\n\nCreate an `OpenIDConnect` resource configured with your identity provider's settings (see an example [here](./config/samples/authentication_v1alpha1_openidconnect.yaml)). Get a token from your identity provider. You can now authenticate against the minikube cluster.\n\n```bash\ncurl -k -H \"Authorization: Bearer $MY_TOKEN\" $(k config view -o=jsonpath=\"{.clusters[?(@.name=='minikube')].cluster.server}\")\n```\n\nAlternatively you can also use a token kubeconfig or the [kubelogin](https://github.com/int128/kubelogin) plugin and configure an OIDC kubeconfig.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgardener%2Foidc-webhook-authenticator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgardener%2Foidc-webhook-authenticator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgardener%2Foidc-webhook-authenticator/lists"}