Everyone can contribute! Let's learn together in a weekly cafe ☕
We love to break things, make mistakes, debug, analyse, fix problems together. Live and unfiltered on Youtube.
Community members and thought leaders regularly join and share their projects and ideas.
"Everyone Can Contribute" is inspired by GitLab's mission.
18. Cafe: Kubernetes authentication and authorization with user management and RBAC
We are learning how to deploy Kubernetes into Hetzner cloud in this series:
- Provisioned the server and agent VMs with Terraform and Ansible in the first session
- Deployed k3s last week
- Learned about pods and the Hetzner load balancer
- Ingress controller for load balancer cost savings
We’ll take a break from deploying a Kubernetes cluster this week, and get to know Kubernetes user authentication and authorization from Niclas Mietz.
- Authentication with kubectl in general
- Creating X509 Client Cert for Authentication
- Use of the X509 Client Cert with kubectl
- Role based access control (RBAC) with Kubernetes docs
Clusterprefix for role is cluster wide, a role binding is exclusive for a namespace, docs.
- Switching the Authentication Strategy from X509 Client Cert to OpenID Connect
- Using OpenID tokens, and using Identity Providers (IDPs), docs
- Using GitLab as OpenID Connect identity provider (IdP)
- Kubernetes Authentication Through Dex as OpenID Proxy,
- Start to configure the K3s API Server of k3s with
- Steps for Repeating
Next week, we’ll look into:
- OpenID Connection of the API Server with Dex and GitLab, continued.
- Hetzner storage volumes
Future ideas touch monitoring with Prometheus, GitLab CI/CD deployments and much more :)
Enjoy the session! 🦊