Okta for Kubernetes — A Step-by-Step Guide

A bunch of old keys against a bright yellow background

What Is SSO for Kubernetes?

At this point in time, Kubernetes doesn’t maintain an internal system for the storage and management of user accounts. Instead, users have to be created and managed outside of the cluster. This begs the question, “How exactly does user authentication work?” For starters, authentication is the process of validating that a user or entity is who they claim to be. In the context of Kubernetes, any user attempting to interact with a Kubernetes cluster must have a certain set of credentials attached to their client request. These credentials are passed off and validated against an external authn module.

Implementing Okta SSO for Kubernetes Using Loft

Now, let’s get started with the tutorial. Before you begin, be sure you have:

Provision Your Kubernetes Cluster

As you would expect, the first requirement you need to meet is to have a remote Kubernetes cluster. In this demonstration, you will use Terraform to create an Amazon EKS cluster using this project. It contains the modules needed to create all the necessary infrastructure in your AWS account. The repository README.md details the steps on how to execute the creation of the infrastructure.

aws eks --region <cluster-region> update-kubeconfig --name <cluster-name>
kubectl config current-context

Install Loft CLI

To install the Loft CLI binary from GitHub, execute one of the following commands depending on your machine’s Operating System:

Mac Terminal

curl -s -L "https://github.com/loft-sh/loft/releases/latest" | sed -nE 's!.*"([^"]*loft-darwin-amd64)".*!https://github.com\1!p' | xargs -n 1 curl -L -o loft && chmod +x loft;
sudo mv loft /usr/local/bin;

Linux Bash

curl -s -L "https://github.com/loft-sh/loft/releases/latest" | sed -nE 's!.*"([^"]*loft-linux-amd64)".*!https://github.com\1!p' | xargs -n 1 curl -L -o loft && chmod +x loft;
sudo mv loft /usr/local/bin;

Windows Powershell

md -Force "$Env:APPDATA\loft"; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls,Tls11,Tls12';
Invoke-WebRequest -UseBasicParsing ((Invoke-WebRequest -URI "https://github.com/loft-sh/loft/releases/latest" -UseBasicParsing).Content -replace "(?ms).*`"([^`"]*loft-windows-amd64.exe)`".*","https://github.com/`$1") -o $Env:APPDATA\loft\loft.exe;
$env:Path += ";" + $Env:APPDATA + "\loft";
[Environment]::SetEnvironmentVariable("Path", $env:Path, [System.EnvironmentVariableTarget]::User);

Create an Okta Account

Next, if you don’t already have an Okta account, you’ll need to create one. The free trial account will suffice; just make sure you have a company email address to complete registration.

Deploy Loft to Your Kubernetes Cluster

After installing the Loft CLI and creating an Okta account, you can proceed to install Loft on your Kubernetes cluster by running the following command:

loft start

Configure Your Domain for Loft

Now that you have Loft running, you need to configure your instance with a registered domain in order for SSO to work with Okta. As mentioned at the beginning of the tutorial, you’ll need to have a domain name that you can associate with your Loft instance.

helm upgrade --install ingress-nginx ingress-nginx --repository-config='' \
-n ingress-nginx --create-namespace \
--repo https://kubernetes.github.io/ingress-nginx \
--set-string controller.config.hsts=false \
--wait
loft start --host=yourdomainname.com

Configure Single Sign-On for Loft

Once the domain has been configured for your Loft instance, you can proceed to configure SSO.

Create App Integration in Okta

Sign in to your Okta account, navigate to the Application section in the side menu, and click on the Create App Integration button. Select the “OpenID Connect (OIDC)” option for the sign-in method and “Web Application” for the application type.

Update Auth Configuration in Loft

In your Loft administrator account, navigate to Admin > Config and update your configuration with the following details:

auth:
oidc:
issuerUrl: 'https://${MY-OKTA-SUBDOMAIN}.okta.com'
clientId: CLIENT_ID
clientSecret: CLIENT_SECRET
groupsClaim: groups
# This is needed because okta uses thin id tokens
# that do not contain the groups directly
getUserInfo: true
auth:
oidc: ...
password:
disabled: true # Disable password-based authentication

Assign Users in Okta

After applying the above changes, you can assign a user or users to your application in Okta. To carry this out, make sure you are signed in to the Admin Console of your Okta account as you were before. Then, proceed to the Loft application you added and navigate to the Assignments tab. You will be presented with the option to either assign people or groups to the application, which will grant users the ability to sign in to Loft with their Okta account.

Conclusion

In this post, you learned about SSO as a security model for identity management and how it can be extended to Kubernetes. Furthermore, this article detailed how to set up SSO for your Kubernetes cluster with Okta and Loft. Loft is a platform designed to empower software teams and enhance developer experience when working with Kubernetes. Be sure to check it out!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Loft Labs

Loft Labs

>> www.loft.sh << Build Your Internal Kubernetes Platform With Virtual Clusters, Namespace Self-Service & Secure Multi-Tenancy