Hello everyone,
I want to implement LDAP authentication in my Kubernetes cluster. I have installed Dex and OAuth2-Proxy in the cluster. We are performing operations in the cluster using kubeconfig and the Kubernetes Dashboard. I want to integrate LDAP for both of these components. However, my issue is as follows:
The cluster is managed via CAPI. I cannot add OIDC parameters to the kube-apiserver manifest file through CAPI because it is immutable. How can I handle the authentication and authorization steps without editing the API server? How can we validate both dashboard requests and kubeconfig requests on the API server without providing parameters? Alternatively, how can we make edits on the CAPI side for already installed systems? Otherwise, the system does not work.
I tried to manage it with kube-oidc-proxy, but it requires a lot of customization, which makes the troubleshooting process more difficult. I need to route the /api requests from the Dashboard and the kubeconfig requests to kube-oidc-proxy, but this also requires implementing many scenarios with a reverse proxy. This leads to increased complexity. If there are alternative methods available or if you could help me understand how to edit and add these parameters on the CAPI side, I would appreciate it.
Cluster information:
Kubernetes version: max version: 1.28.10
Cloud being used: On prime clusters
Installation method: CAPI
Host OS: ubuntu and centos