I'm really interested in learning how people who manage on-premises or self-hosted Kubernetes clusters tackle user authentication. Personally, I find Keycloak to be a solid choice as an Identity Provider (IDP). However, there's a tricky decision to make regarding whether to run it inside or outside the cluster to avoid that chicken-and-egg problem. You can still manage it with admin access using client certificate authentication if needed.
That said, I've found certificates can be a hassle, especially in enterprise environments, since they can't be revoked and their lifecycle management is cumbersome compared to tokens.
So, I'm curious—are you still using client certificate-based kubeconfigs in your Kubernetes setups? Or does the challenge of managing an extra IDP make you lean towards certificates instead? Given the drawbacks of certificates and the management overhead of Keycloak, has anyone considered just relying on ServiceAccount tokens and creating users/tenants kubeconfig from those, perhaps using something like the permission-manager by SIGHUP?
4 Answers
I’ve been seeing a lot of discussions around using OpenID Connect (OIDC) for user access. It makes a lot of sense, especially since most of us probably already have an IDP like Google or Azure. Plus, there are kubectl plugins available that simplify the login process.
ServiceAccount tokens also have their downsides—they can’t be revoked, similar to certificates, but they’re designed to be short-lived. You might want to consider tools like Vault or OpenBao to generate new tokens for your clusters.
For those interested in OIDC, I use the Authelia KubeLogin integration, which has been smooth sailing for our setup. Just thought I’d throw that out there!
I’m looking into Dex for managing identity services in Kubernetes. It seems like a promising solution—has anyone else tried it?
Sometimes, I've used klum alongside the OIDC integration for a smoother experience. It utilizes the ServiceAccount tokens to generate roles and bindings, plus it offers a kubeconfig resource, which makes things easier. Really recommend giving it a shot!
Just to add, you can revoke ServiceAccount access by deleting the corresponding ServiceAccount or removing RBAC rules. It’s like having a built-in kill switch for authorization!