0

I want my in-cluster deployment of a app to access the kubernetes cluster that has oidc configured, how do i do that, I know one way is via service accounts but do we have something where we can use the oidc flow and the token received to make request to the cluster from within the app?

Here is the app deployment config https://gist.github.com/ashu8912/97cf92ce9b4df2f9c71671cbe45b4625

ashu8912
  • 63
  • 6
  • Can you provide any examples of what you tried already? Any [minimal, reproducible example](https://stackoverflow.com/help/minimal-reproducible-example)? –  Feb 16 '22 at 11:13
  • I have tried AKS setup with azure AD configured, now my application runs within the cluster itself. My app has oidc features enabled so getting a token and taking it to the API server to request for resources is possible, but using the token doesn't seem to work, even when I have a cluster role created that points to the group the user resides in which is something present in the token also. – ashu8912 Feb 17 '22 at 04:20
  • Can you share this app yaml files? –  Feb 17 '22 at 06:20
  • Sure here it is https://gist.github.com/ashu8912/97cf92ce9b4df2f9c71671cbe45b4625 – ashu8912 Feb 17 '22 at 08:25
  • I know it's annoying to ask, but could you add those manifests to your question? This would make sure they won't be gone in case the gist would be deleted. –  Feb 17 '22 at 09:02
  • I still have a hard time understanding what is your issue. Do you want the headlamp app to be able to connect to another app with OIDC? –  Feb 17 '22 at 10:11
  • I want to deploy headlamp in-cluster and get access to the cluster resources that has oidc configured. – ashu8912 Feb 17 '22 at 11:09
  • access to cluster resources here means I can access the list of all Pods, Nodes etc. headlamp is a kubernetes dashboard project and that's why it is relevant here to get these details. – ashu8912 Feb 17 '22 at 11:11

1 Answers1

0

Let me start first with the short summary of your intention, so that we have a common baseline.

You want to talk to remote cluster (2) with oidc authentication configured, and this communication ought to be initiated by client (headlamp app) running inside your mother cluster (1).

If this is the case, the way to achieve it, is to use out-of-cluster client configuration by your headlamp app.

I assume your app is similar to Kubernetes Dashboard, and is written in Go as well, so here is the corresponding example of such an out-of-cluster configuration.

In short, this is where you should point to the existing kubeconfig file, which I assumed you previously configured with kubectl according the official documentation for the oidc-auth provider plugin. Because this kubeconfig file usually stay at your client's computer side, you should copy it to the headlamp container.

Nepomucen
  • 4,449
  • 3
  • 9
  • 24
  • Thanks for the answer, I will rephrase again what i wanted to convey, So I have a app that is deployed in a cluster now that app has to spit out all the resource details for the same cluster it is deployed to, I can easily access the config file with https://pkg.go.dev/k8s.io/client-go/rest#InClusterConfig. the question is can I use an oidc token(generated from headlamp oidc flow) to hit the cluster which has the same oidc configured. I know applications are meant to access the cluster via service account user type but can we access with a token from an application( inside same cluster). – ashu8912 Feb 18 '22 at 11:48