Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Best practices implementing authentication via OIDC #7728

Open
jo-krk opened this issue May 10, 2023 · 6 comments
Open

Best practices implementing authentication via OIDC #7728

jo-krk opened this issue May 10, 2023 · 6 comments
Labels
kind/support Categorizes issue or PR as a support question. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@jo-krk
Copy link

jo-krk commented May 10, 2023

What would you like to be added?

Hi,
It's not really a feature request, more like a wish to hear best-practices/recipes-that-work, please feel free to move, if you think there is better type/label for it.

My goal is to provide Dashboard to few different teams, who have different permissions (configured via RBACs) and accessible via OIDC & Keycloak.
To achieve that I was using oauth2-proxy, but soon I realized that oauth2-proxy and XHR requests, from Dashboard, don't work nicely together - I can see Dashboard page failing with "CORS: Missing allow origin" error after a while, Origin being "Origin: null", so I can't really allow it @ Keycloak.

How others are achieving it? I think it should be common setup to have Dashboard working with OIDC. I'm ready to replace oauth2-proxy with something else, if required.

Thanks.

Why is this needed?

I think it should be common scenario to use Dashboard with OIDC.
@jo-krk jo-krk added the kind/feature Categorizes issue or PR as related to a new feature. label May 10, 2023
@maciaszczykm maciaszczykm added kind/support Categorizes issue or PR as a support question. and removed kind/feature Categorizes issue or PR as related to a new feature. labels May 19, 2023
@nkwangleiGIT
Copy link

currently, I'm using keycloak-gatekeeper as a sidecar proxy to use the token from OIDC, here is a sample for your reference:
https://github.com/kubebb/addon-components/tree/master/kube-dashboard

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 23, 2024
@aslafy-z
Copy link

I made a oauth2-proxy compatible adapter that forwards requests to kubernetes-dashboard with the right headers format, see a sample deployment at https://github.com/aslafy-z/k8s-dashboard-impersonation-proxy/tree/main?tab=readme-ov-file#demo.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 22, 2024
@aslafy-z
Copy link

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Feb 22, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/support Categorizes issue or PR as a support question. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@maciaszczykm @aslafy-z @nkwangleiGIT @k8s-ci-robot @k8s-triage-robot @jo-krk