Scalable User Authentication for Kubernetes Clusters with OpenID... Nathan Brahms & Shashwat Sehgal

Don't miss out! Join us at our next Flagship Conference: KubeCon + CloudNativeCon Europe in Paris from March 19-22, 2024. Connect with our current graduated, incubating, and sandbox projects as the community gathers to further the education and advancement of cloud native computing. Learn more at https://kubecon.io

Scalable User Authentication for Kubernetes Clusters with OpenID Connector - Nathan Brahms & Shashwat Sehgal, P0 Security

Platform engineering teams face a challenge in managing developer access to Kubernetes clusters. Firstly, on the user provisioning side, the default client certificate based authentication strategy requires submitting signing requests for every user in every cluster. Secondly, a mapping of roles and role bindings must be defined inside each cluster. This talk evangelizes the Kubernetes built-in OpenID Connector and emphasizes how easy it is to move away from these defaults, and how automation can decrease the ongoing maintenance burden. The talk discusses configuring an OIDC authentication for Kubernetes clusters, and details of how to do that in each major cloud provider (AWS, Azure, Google) and identity provider (Azure AD, Google Workspace, Okta, Jumpcloud). Finally, it discusses how to set up developer access using the open-source kubelogin kubectl plugin. This approach works well in environments with a large number of clusters or Kubernetes deployments in multiple clouds.