Tanzu Kubernetes Grid includes and supports packages for dex and Gangway. These are used to extend authentication to LDAP and OIDC endpoints. Recall that Kubernetes does not do user-management or traditional authentication. As a K8s cluster admin, you can create service accounts of course, but those are not meant to be used by developers.
Think of dex as a transition layer, it uses ‘connectors’ for upstream Identity providers (IdP) like Active Directory for LDAP or Okta for SAML and presents an OpenID Connect (OIDC) endpoint for k8s to use.
TKG provides not only the packages mentioned above, but also a collection of yaml files and documentation for implementation. The current version (as of May 12, 2020) documentation for configuring authentication is pretty general, the default values in the config files are suitable for OpenLDAP. So, I thought I’d share the specific settings for connecting dex to Active Directory.
Assumptions:
-
- TKG Management cluster is deployed
- Following the VMware documentation
- Using the TKG-provided tkg-extensions
- dex will be deployed to management cluster or to a specific workload cluster
Edits to authentication/dex/vsphere/ldap/03-cm.yaml – from Docs
- Replace
<MGMT_CLUSTER_IP>with the IP address of one of the control plane nodes of your management cluster. This is one of the control plane nodes where we’re putting dex - If the LDAP server is listening on the default port 636, which is the secured configuration, replace
<LDAP_HOST>with the IP or DNS address of your LDAP server. If the LDAP server is listening on any other port, replace<LDAP_HOST>with the address and port of the LDAP server, for example 192.168.10.22:389 or ldap.mydomain.com:389. Never, never, never use unencrypted LDAP. You’ll need to specify port 636 unless your targeted AD controller is also a Global Catalog server in which case you’ll specify port 3269. Check with the AD team if you’re unsure. - If your LDAP server is configured to listen on an unsecured connection, uncomment insecureNoSSL: true. Note that such connections are not recommended as they send credentials in plain text over the network. Never, never, never use unencrypted LDAP.
- Update the userSearch and groupSearch parameters with your LDAP server configuration. This need much more detail – see steps below
Edits to authentication/dex/vsphere/ldap/03-cm.yaml – AD specific
- Obtain the root CA public certificate for your AD controller. Save a base64-encoded version of the certificate:
echo root64.cer | base64 > rootcer.b64for example will write the data from the PEM-encoded root64.cer file into a base64-encoded file named rootcer.b64 - Add the base64-encoded certificate content to the rootCAData key. Be sure to remove the leading “#”. This is an alternative to using the rootCA key, where we’ll have to place the file on each Control Plane node
- Update the userSearch values as follows:
key default set to notes baseDN ou=people, dc=vmware,dc=com
DN of OU in AD under which user accounts are found
Example: ou=User Accounts,DC=ragazzilab,DC=com filter “(objectClass= posixAccount)”
“(objectClass=person)” username uid userPrincipalName idAttr uid DN Case-sensitive emailAttr mail userPrincipalName nameAttr givenName cn - Update the groupSearch values as follows:
key default set to notes baseDN ou=people, dc=vmware,dc=com
DN of OU in AD under which security Groups are found
Example: DC=ragazzilab,DC=com filter “(objectClass= posixGroup)”
“(objectClass=group)” userAttr uid DN Case-Sensitive groupAttr memberUid “member:1.2.840.113556.1.4.1941:” This is necessary to search within nested groups in AD nameAttr cn cn
Other important Notes
When you create the oidc secret in the workload clusters running Gangway, the clientSecret value is base64-encoded, but the corresponding secret for the workload cluster in the staticClients section of the dex configmMap is decoded. This can be confusing since the decoded value is also randomly-generated.
Brian Ragazzi 
One thought on “Configure Tanzu Kubernetes Grid to use Active Directory”
Comments are closed.