{"id":13676818,"url":"https://github.com/jetstack/kube-oidc-proxy","last_synced_at":"2025-04-29T07:33:31.343Z","repository":{"id":43774157,"uuid":"174326818","full_name":"jetstack/kube-oidc-proxy","owner":"jetstack","description":"Reverse proxy to authenticate to managed Kubernetes API servers via OIDC.","archived":true,"fork":false,"pushed_at":"2024-08-10T02:04:32.000Z","size":107992,"stargazers_count":477,"open_issues_count":35,"forks_count":93,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-11-11T18:43:32.084Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://jetstack.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jetstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-03-07T10:55:06.000Z","updated_at":"2024-11-09T20:17:37.000Z","dependencies_parsed_at":"2024-11-11T18:36:08.962Z","dependency_job_id":"cc0252f3-290d-405a-8d6a-30bc0b7f30e7","html_url":"https://github.com/jetstack/kube-oidc-proxy","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fkube-oidc-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fkube-oidc-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fkube-oidc-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fkube-oidc-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jetstack","download_url":"https://codeload.github.com/jetstack/kube-oidc-proxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251456065,"owners_count":21592287,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T13:00:33.301Z","updated_at":"2025-04-29T07:33:26.335Z","avatar_url":"https://github.com/jetstack.png","language":"Go","funding_links":[],"categories":["Go","\u003ca id=\"01e6651181d405ecdcd92a452989e7e0\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"e9f97504fbd14c8bb4154bd0680e9e62\"\u003e\u003c/a\u003e反向代理"],"readme":"# kube-oidc-proxy\n\n\u003e  :warning:\n\u003e\n\u003e  The kube-oidc-project has been archived, checkout the maintained [fork](https://github.com/TremoloSecurity/kube-oidc-proxy) by Tremolo Security.\n\u003e\n\u003e  :warning:\n\n`kube-oidc-proxy` is a reverse proxy server to authenticate users using OIDC to\nKubernetes API servers where OIDC authentication is not available (i.e. managed \nKubernetes providers such as GKE, EKS, etc).\n\nThis intermediary server takes `kubectl` requests, authenticates the request using\nthe configured OIDC Kubernetes authenticator, then attaches impersonation\nheaders based on the OIDC response from the configured provider. This\nimpersonated request is then sent to the API server on behalf of the user and\nit's response passed back. The server has flag parity with secure serving and\nOIDC authentication that are available with the Kubernetes API server as well as\nclient flags provided by kubectl. In-cluster client authentication is also\navailable when running `kube-oidc-proxy` as a pod.\n\nSince the proxy server utilises impersonation to forward requests to the API\nserver once authenticated, impersonation is disabled for user requests to the\nAPI server.\n\nThe following is a diagram of the request flow for a user request.\n![kube-oidc-proxy request\nflow](./img/kube-oidc-proxy.png)\n\n## Tutorial\n\nDirections on how to deploy OIDC authentication with multi-cluster can be found\n[here.](./demo/README.md) or there is a [helm chart](./deploy/charts/kube-oidc-proxy/README.md).\n\n### Quickstart\n\nDeployment yamls can be found in `./deploy/yaml` and will require configuration to\nan exiting OIDC issuer.\n\nThis quickstart demo will assume you have a Kubernetes cluster without OIDC\nauthentication, as well as an OIDC client created with your chosen\nprovider. We will be using a Service with type `LoadBalancer` to expose it to\nthe outside world. This can be changed depending on what is available and what\nsuites your set up best.\n\nFirstly deploy `kube-oidc-proxy` and it's related resources into your cluster.\nThis will create it's Deployment, Service Account and required permissions into\nthe newly created `kube-oidc-proxy` Namespace.\n\n```\n$ kubectl apply -f ./deploy/yaml/kube-oidc-proxy.yaml\n$ kubectl get all --namespace kube-oidc-proxy\n```\n\nThis deployment will fail until we create the required secrets. Notice we have\nalso not provided any client flags as we are using the in-cluster config with\nit's Service Account.\n\nWe now wait until we have an external IP address provisioned.\n\n```\n$ kubectl get service --namespace kube-oidc-proxy\n```\n\nWe need to generate certificates for `kube-oidc-proxy` to securely serve.  These\ncertificates can be generated through `cert-manager`, more information about\nthis project found [here](https://github.com/jetstack/cert-manager).\n\nNext, populate the OIDC authenticator Secret using the secrets given to you\nby your OIDC provider in `./deploy/yaml/secrets.yaml`. The OIDC provider CA will be\ndifferent depending on which provider you are using. The easiest way to obtain\nthe correct certificate bundle is often by opening the providers URL into a\nbrowser and fetching them there (typically output by clicking the lock icon on\nyour address bar). Google's OIDC provider for example requires CAs from both\n`https://accounts.google.com/.well-known/openid-configuration` and\n`https://www.googleapis.com/oauth2/v3/certs`.\n\n\nApply the secret manifests.\n\n```\nkubectl apply -f ./deploy/yaml/secrets.yaml\n```\n\nYou can restart the `kube-oidc-proxy` pod to use these new secrets\nnow they are available.\n\n```\nkubectl delete pod --namespace kube-oidc-proxy kube-oidc-proxy-*\n```\n\nFinally, create a Kubeconfig to point to `kube-oidc-proxy` and set up your OIDC\nauthenticated Kubernetes user.\n\n```\napiVersion: v1\nclusters:\n- cluster:\n    certificate-authority: *\n    server: https://[url|ip:443]\n  name: *\ncontexts:\n- context:\n    cluster: *\n    user: *\n  name: *\nkind: Config\npreferences: {}\nusers:\n- name: *\n  user:\n    auth-provider:\n      config:\n        client-id: *\n        client-secret: *\n        id-token: *\n        idp-issuer-url: *\n        refresh-token: *\n      name: oidc\n```\n\n## Configuration\n - [Token Passthrough](./docs/tasks/token-passthrough.md)\n - [No Impersonation](./docs/tasks/no-impersonation.md)\n - [Extra Impersonations Headers](./docs/tasks/extra-impersonation-headers.md)\n - [Auditing](./docs/tasks/auditing.md)\n\n## Development\n*NOTE*: building kube-oidc-proxy requires Go version 1.12 or higher.\n\nTo help with development, there is a suite of tools you can use to deploy a\nfunctioning proxy from source locally. You can read more\n[here](./docs/tasks/development-testing.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fkube-oidc-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjetstack%2Fkube-oidc-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fkube-oidc-proxy/lists"}