This walkthrough details setting up access to the Kubernetes Dashboard over an OIDC impersonation proxy (https://github.com/jetstack/kube-oidc-proxy). This allows users to login to the Kubernetes Dashboard using an OIDC identity provider, even when configuring the Kubernetes API server for OIDC authentication is not an available option (e.g. if on a managed service such as GKE)

• a Kubernetes cluster (e.g. GKE)
• kubectl
• an OIDC identity provider (e.g. Google OAuth App)
• cfssl and cfssljson for generating certs

The first step is to generate TLS ceritifates for the OIDC proxy:

cd ./certs
sh gen-certs.sh

Edit kube-oidc-proxy/secrets.yaml and fill in the serving TLS cert and key using certs/server.pem and certs/server-key.pem respectively.

Fill in the OIDC Secret as per your identity provider. For oidc.username-claim, use the claim from the OIDC token that represents the user (e.g. email for Google).

Deploy the kube-oidc-proxy with this configuration:

kubectl apply -f ./kube-oidc-proxy

kubectl apply -f ./dashboard

Next we need to create the kubernetes-dashboard-token-proxycert Secret to allow the Dashboard to correctly connect to proxy with the certs we generated.

# Get the existing Service Account secret, change UUID for the generated Secret name
kubectl get secret kubernetes-dashboard-token-UUID -o yaml > kubernetes-dashboard-token-proxycert.yaml

Now edit kubernetes-dashboard-token-proxycert.yaml to make the following changes:

• Change name to kubernetes-dashboard-token-proxycert
• Change type to Opaque
• Change ca.crt to certs/ca.pem

Create the Secret:

kubectl apply -f kubernetes-dashboard-token-proxycert.yaml

After some time, the Dashboard Pod should now become healthy.

kubectl apply -f keycloak-gatekeeper/

For example:

kubectl port-forward svc/oidc-proxy-dashboard 8081:3000

Ensure you've configured the redirect URI with your identity provider correctly. You'll be forwarded to your identity provider to login, and will be returned to the Dashboard as a successfully logged in user.