Hi,
I’ve successfully setup my local Kubernetes cluster’ Kube API to use OIDC towards an Auth0 managed API. I can access my cluster with kubectl using the OIDC credentials. Now, I wanted to test the scenario, in which I would revoke/deny access of my user to access the Auth0 API. I therefore blocked the user in Auth0 and removed permission to the API - but kubectl remains to work - which is not what I have expected. How should this usually work?
As a help, below I mention the configuration I have done:
In Auth0:
- having an API with an Application (Machine to Machine)
- having a user myuser@mydomain.com with permission to the API
This is the users configuration in kube config file:
- name: myuser@mydomain.com
user:
auth-provider:
config:
client-id: <my-client-id>
client-secret: <my-client-secret>
id-token: <my-id-token>
idp-issuer-url: https://myorganization.eu.auth0.com/
refresh-token: <my-refresh-token>
name: oidc
Starting the Kube API server has followingn parameters:
# Open ID Connect (OIDC)
--oidc-issuer-url=https://myorganization.auth0.com/
--oidc-client-id=<my-client-id>
--oidc-username-claim=email
--oidc-username-prefix=oidc:
--oidc-groups-prefix=oidc:
#~Open ID Connect (OIDC)
In Kubernetes, I’ve created the following ClusterRoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: oidc-admin-role
subjects:
- kind: User
name: "oidc:myuser@mydomain.ch"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Regards
