{"id":19719907,"url":"https://github.com/yldio/kubernetes-auth","last_synced_at":"2025-10-08T10:59:38.086Z","repository":{"id":84551687,"uuid":"111404114","full_name":"yldio/kubernetes-auth","owner":"yldio","description":"👩‍💻🔐 Log into k8s clusters using dex with a nice UI","archived":false,"fork":false,"pushed_at":"2019-03-10T08:42:52.000Z","size":176,"stargazers_count":34,"open_issues_count":2,"forks_count":2,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-29T21:39:13.676Z","etag":null,"topics":["authentication","dex","kubernetes","oidc"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yldio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-11-20T11:52:23.000Z","updated_at":"2024-07-10T11:24:36.000Z","dependencies_parsed_at":null,"dependency_job_id":"7f70c1eb-f4b9-431a-9128-4b74566167ba","html_url":"https://github.com/yldio/kubernetes-auth","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/yldio/kubernetes-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yldio%2Fkubernetes-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yldio%2Fkubernetes-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yldio%2Fkubernetes-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yldio%2Fkubernetes-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yldio","download_url":"https://codeload.github.com/yldio/kubernetes-auth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yldio%2Fkubernetes-auth/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263335839,"owners_count":23450936,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","dex","kubernetes","oidc"],"created_at":"2024-11-11T23:09:41.239Z","updated_at":"2025-10-08T10:59:38.018Z","avatar_url":"https://github.com/yldio.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# kubernetes-auth\n\nAn authentication front-end to Kubernetes clusters, enabling users to log into\na Kubernetes cluster through the configuration and use of [Dex](https://github.com/coreos/dex),\n[OIDC](https://github.com/coreos/dex/blob/5e34f0d1a6e22725b39f521178baac2cddd0a306/Documentation/openid-connect.md) \nand [Kubernetes OIDC](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens)\n\nThis has been developed for developers in large teams, with lots of new joiners to\nprovide an easy way to switch between environments / regions in non-federated\ndeployments.\n\nIt also provides an easy method to switch out Dex Connectors, so when your team\nends up moving from Github to Okta, you have a minimal set of changes to\nimplement.\n\n### What does it look like?\n\nLogin Page            | Command Page\n:-------------------------:|:-------------------------:\n![Login page](./images/login.png) | ![Command page](./images/commands.png)\n\n### I have a cluster, lets go!\n\n[![Status](https://img.shields.io/badge/chart%20status-untested-orange.svg?style=flat-square)]()\n\nInstall dex:\n\n```bash\nhelm upgrade --install dex ./charts/dex --set secrets.github.client.id=bleh --set secrets.github.client.secret=blah\n```\n\nInstall kubernetes-auth:\n\n```\nhelm upgrade --install kubernetes-auth ./charts/kubernetes-auth\n```\n\nOnce the application has been deployed an running, the next step is to point\nKubernetes' OIDC options in the Kube API server.\n\n```\n--oidc-issuer-url=https://dex.sandbox.yld.io\n--oidc-client-id=kubernetes-auth\n--oidc-ca-file=/etc/kubernetes/ssl/openid-ca.pem\n--oidc-username-claim=email\n--oidc-groups-claim=groups\n```\n\n### Dex? Aka Kubernetes Authentication\n\nDex acts as an intermediary between Github authentication and Kubernetes acting\nas an identity provider. This gives us the flexibility to move to another backed\n(LDAP, SAML, etc.) at some point in the future.\n\nAt the moment user logins are federated by github teams. Each team then belongs\nto a namespace with view on everything in that namespace. As time progresses we\nmight want to restrict / expand on this.\n\nTo Login a user will use the following flow, with sandbox being replaced by their\nenvironment of choice (levels of access will be handled):\n\n- Navigate to http://k8s-auth.sandbox.yld.io\n- Login to Github and authorise the YLD github application\n- Follow the instructions and Copy the kubeconfig to your local ~/.kube/config\n- check access with `kubectl get pods`\n\n### How does kubernetes-auth work with Dex?\n\nWe recommend reading the [Dex](https://github.com/coreos/dex) [Documentation](https://github.com/coreos/dex/blob/master/Documentation/using-dex.md) before continuing as it is\nrequired to be working correctly before kubernetes-auth can start.\n\nIn our example helm chart for kubernetes-auth and dex, we specifically use only\nthe Github Connector and the PostgresSQL backend. This was the working combination\nat time of implementation, but we plan to extend the chart to make it configurable.\n\nFor a Github Organisation as such:\n\n- yldio\n  - Team\n    - platform\n    - software-engineering\n\nIt becomes possible to map the team `platform` with the Kubernetes RBAC ClusterRole `cluster-admin` to give anyone in the team `platform` cluster-wide access to the kubernetes cluster. As such if we gave the team `software-engineering` a Role to a specific namespace, any new members will have access to the Kubernetes cluster in that specific namespace.\n\n---\n\n### Contribute\n\nWe're delighted that you'd like to contribute to kubernetes-auth, as we're always looking for ways to improve it.\n\nIf there is anything that you'd like to improve or propose, please submit a pull request. And remember to check the contribution [guidelines](CONTRIBUTING.md)!\n\n#### Start\n\n##### Dependencies\n\n- Minikube\n- kubectl\n- helm\n\n```bash static\necho $(minikube ip) cluster-auth.minikube.local | sudo tee -a /etc/hosts\nminikube ssh 'echo 127.0.2.1 cluster-auth.minikube.local | sudo tee -a /etc/hosts'\nhelm upgrade --install dex ./charts/dex --set secrets.github.client.id=abcdef --set secrets.github.client.secret=abcedf\nkubectl apply -f charts/dex/minikube.yaml\n```\n\n### License\n\n[Apache-2.0](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyldio%2Fkubernetes-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyldio%2Fkubernetes-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyldio%2Fkubernetes-auth/lists"}