Dex for Kubernetes: How Does it Work?

A view from an old brick corridor that’s covered with moss, which opens onto a field with trees.

What is Dex?

Dex is an open source CNCF sandbox project and authentication service released by CoreOS, Inc. that uses OpenID Connect (OIDC) to link Kubernetes and other OIDC-compatible services with a myriad of identity providers. Put another way, you can think of Dex as an intermediary between kubectl and widely used identity providers like Okta, GitHub, Google, Microsoft, and Linkedin, among others.

How Does Dex for Kubernetes Work?

Before getting into the details of how Dex works, it’s important to understand how the Kubernetes authentication process works.

What Problems Does Dex Solve?

We’ve already mentioned that Dex extends the functionality of Kubernetes by allowing administrators to manage users and groups using the organization’s identity service provider. However, this is not the only problem that Dex solves. Let’s take a look at some of the other benefits it offers.

Increased Security

Dex improves the security of your Kubernetes cluster in multiple ways:

  • It provides a secure way to log users into the cluster via identity providers.
  • It eliminates the security risk associated with using the same kubeconfig files for multiple users.
  • It enables efficient detection of actions performed by each user via Audit Logs.
  • It eliminates the practice of creating bearer tokens without time limits.
  • It helps enforce authentication and authorization policies thanks to efficient user and group management using RBAC rules (zero-trust RBAC access).

Flexibility

Every organization has unique requirements, and Dex is flexible enough to allow the use of almost any identity provider. Proof of this is the connectors available for Okta, GitHub, GitLab, Microsoft, Linkedin, and services that use OpenID Connect, OAuth 2.0, LDAP, and SAML 2.0 protocols, among others. Here’s a complete list of the connectors supported by Dex.

Provides a Centralized Authentication System

Implementing Dex may not be the best solution for small teams. However, for organizations with dozens of users distributed among different teams, Dex is a very powerful tool. The mere fact of not having to create, manage, and distribute kubeconfig files manually is a huge advantage in both time savings and security.

Setting up Authentication on Kubernetes Using Dex

As we’ve established, Dex acts as a portal that uses connectors to link Kubernetes with multiple identity providers. The following image provides a high-level overview of the Single Sign-On process:

  1. The end-user initiates a request to log in to Dex. This is usually done through a web application or portal where users initiate Single Sign-On.
  2. Dex forwards this request to a third-party identity provider (e.g., Active Directory, Google, GitHub, or Okta). For this purpose, Dex uses “connectors,” which have a series of protocols for querying other user management systems.
  3. Thanks to these connectors, Dex can then access relevant user information from the identity provider such as name, email, unique identifiers, group, access token, etc. In the case of Okta, this data comes as an ID token. According to Dex documentation, “ID Tokens are JSON Web Tokens (JWTs)… returned as part of the OAuth2 response that attest to the end user’s identity.”
  4. Once Dex obtains the user information from the third-party upstream identity provider, it assumes the role of identity provider and issues a signed ID token that it sends to the kubectl client, which forwards the JWT to the API server.
  5. The API server consumes the ID token using the Kubernetes OpenID Connect token authenticator plug-in. The result at this point can be either to validate or to reject the user. If the user is successfully authenticated, the API server uses the ID token information to apply the RBAC rules.
  6. The response from the API server is sent back to the kubectl client.
  7. The kubectl client displays the result to the end-user.

What Problems Are Not Addressed by Dex?

While Dex offers an excellent solution for organizations seeking a Single Sign-On experience for Kubernetes, it is not exempt from the limitations associated with certain identity providers.

Conclusion

In this article, you learned that Dex is a viable solution for achieving a better login experience with Kubernetes. Being an OIDC provider, Dex allows your organization to leverage the identity provider in use to connect to Kubernetes. This is a huge advantage because without adding additional infrastructure, your organization can implement centralized identity management for Kubernetes, which saves time and helps improve security policies.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Loft Labs

Loft Labs

637 Followers

>> www.loft.sh << Build Your Internal Kubernetes Platform With Virtual Clusters, Namespace Self-Service & Secure Multi-Tenancy