Would you like to learn how to configure Kubernetes LDAP authentication in Active Directory? In this tutorial, we are going to show you how to authenticate Kubernetes Dashboard users using Windows Active Directory and the LDAP protocol.

• Ubuntu 20
• Ubuntu 19
• Ubuntu 18
• Kubernetes 1.18

This tutorial will install a single-node Kubernetes cluster.

In our example, the IP address of the Kubernetes master node is 192.168.15.200.

In our example, the IP address of the domain controller is 192.168.15.10.

Tutorial Windows - Domain Controller Firewall

• IP - 192.168.15.10
• Operacional System - WINDOWS 2012 R2
• Hostname - TECH-DC01

First, we need to create a Firewall rule on the Windows domain controller.

This firewall rule will allow the Kubernetes server to query the Active directory.

On the domain controller, open the application named Windows Firewall with Advanced Security

Create a new Inbound firewall rule.

zabbix active directory

Select the PORT option.

Select the TCP option.

Select the Specific local ports option.

Enter the TCP port 389.

zabbix windows firewall port ldap

Select the Allow the connection option.

zabbix windows firewall allow connection

Check the DOMAIN option.

Check the PRIVATE option.

Check the PUBLIC option.

Enter a description to the firewall rule.

windows firewall active directory

Congratulations, you have created the required firewall rule.

This rule will allow the Kubernetes server to query the Active Directory database.

Tutorial Windows - Domain Account Creation

Next, we need to create at least 2 accounts on the Active Directory database.

The ADMIN account will be used to log into the Kubernetes Dashboard.

The BIND account will be used to query the Active Directory database.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new account inside the Users container.

Zabbix active directory account

Create a new account named: admin

Password configured to the ADMIN user: 123qwe..

This account will be used to authenticate on the Kubernetes web interface.

active directory admin accountzabbix active directory admin properties

Create a new account named: bind

Password configured to the BIND user: kamisama123..

Kubernetes will use this account to query Active Directory.

active directory bind accountzabbix active directory ldap bind properties

Congratulations, you have created the required Active Directory accounts.

Tutorial Windows - Domain Group Creation

Next, we need to create a group on the Active Directory.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new group inside the Users container.

Radius Active directory group

Create a new group named: KUBERNETES-ADMIN.

Members of this group will have administrative permission on the Kubernetes Dashboard.

Kubernetes LDAP authentication group

Important! Add the ADMIN user as a member of the KUBERNETES-ADMIN.

Kubernetes LDAP Active directory group

Congratulations, you have created the required Active Directory group.

Tutorial Kubernetes - Master node Installation

Install the list of required packages.

Copy to Clipboard

Install the Docker service.

Copy to Clipboard

Enable the Docker service during boot.

Copy to Clipboard

Edit the Docker service configuration file.

Copy to Clipboard

Add the following configuration at the end of the item named: EXECSTART

Copy to Clipboard

Here is the file before our configuration.

Copy to Clipboard

Here is the file after our configuration.

Copy to Clipboard

Create a System configuration file.

Copy to Clipboard

Here is the file content.

Copy to Clipboard

Enable the System configuration file.

Copy to Clipboard

Edit the configuration file named: MODULES.CONF

Copy to Clipboard

Add the following configuration at the end of this file.

Copy to Clipboard

Edit the FSTAB configuration file and disable the use of Swap memory.

Copy to Clipboard

Here is the file before our configuration.

Copy to Clipboard

Here is the file after our configuration.

Copy to Clipboard

Set a unique hostname.

Copy to Clipboard

Create a file to configure the required environment variables.

Copy to Clipboard

Here is the file content.

Copy to Clipboard

Reboot the computer.

Copy to Clipboard

Download and install the Kubernetes repository key.

Copy to Clipboard

Add the official Kubernetes repository.

Copy to Clipboard

Install the Kubernetes packages.

Copy to Clipboard

Download the required Kubernetes images.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Initialize the Kubernetes cluster.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Take note of the command to add nodes to the Kubernetes cluster.

Copy to Clipboard

Set the correct file permission on the Kubernetes configuration file.

Copy to Clipboard

Install the required network configuration.

Copy to Clipboard

By default, the Kubernetes master node is not allowed to run PODS.

Optionally, enable the Kubernetes master node to run PODS.

Copy to Clipboard

In our example, we are using a single-node Kubernetes cluster.

Tutorial - Kubernetes Dashboard installation

Install the list of required packages.

Copy to Clipboard

Download the required YAML file.

Copy to Clipboard

Install the Kubernetes Dashboard.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Create a service account for the Dashboard.

Copy to Clipboard

Configure the Cluster admin role to the Dashboard service account.

Copy to Clipboard

Create a service account for the Apache proxy.

Copy to Clipboard

Configure the Cluster admin role to the Apache proxy account.

Copy to Clipboard

List the Apache secret available on the Kubernetes server.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Notice that your secret's name will not be the same as ours.

Get the value of the Apache secret token.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Take note of the Apache token value.

In our example, this is the token value:

Copy to Clipboard

List the Dashboard service cluster IP address.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Take note of the cluster IP address and TCP port.

In our example, the Dashboard cluster is using the TCP port 443 and the IP address 10.107.55.24.

You have finished the required Dashboard configuration.

Kubernetes Proxy - Basic user authentication using Apache

On the Master node, install the Apache server.

Copy to Clipboard

Enable the required Apache modules.

Copy to Clipboard

Edit the Apache configuration file.

Copy to Clipboard

Add the following lines to the end of this file.

Copy to Clipboard

Create a private key and certificate using the OpenSSL command.

Copy to Clipboard

Enter the requested information.

Copy to Clipboard

In the option named COMMON_NAME, you must enter the IP address or the hostname.

In our example, we use the IP address: 192.168.15.200

Convert your existing Kubernetes proxy certificate and the key to a single file in the PEM format.

Copy to Clipboard

Edit the Apache configuration file for the default website.

Copy to Clipboard

Here is the file, before our configuration.

Copy to Clipboard

Here is the file, after our configuration.

Copy to Clipboard

Change the IP address of the configuration items named AUTHLDAPURL to the IP address of the domain controller.

Change all domain information in Active Directory to reflect your environment.

Change the IP address of the configuration items named PROXYPASS and PROXYPASSREVERSE to the IP address of the Dashboard cluster.

Change the token value of the CI named REQUESTHEADER to the Apache secret token value created earlier.

In our example, we enabled the use of HTTPS using self-signed certificates.

Copy to Clipboard

In our example, we configured the use of LDAP authentication.

Copy to Clipboard

Apache will represent HTTPS communication between the user and the Dashboard cluster IP address.

Copy to Clipboard

Apache will use a certificate and key created automatically during the Kubernetes server installation to perform mutual TLS authentication on the Dashboard.

Copy to Clipboard

The Apache server will add a header to all packets sent to the Dashboard.

This header is named AUTHORIZATION BEARER and contains the secret token created earlier in the Apache proxy.

Copy to Clipboard

Apache will also redirect HTTP users to the HTTPS version of the requested URL.

Copy to Clipboard

Restart the Apache service.

Copy to Clipboard

Open your browser and access the HTTPS version of the Apache server's IP address.

In our example, the following URL was entered in the browser:

• https://192.168.15.200

The Apache server will require you to perform user authentication.

Kubernetes Dashboard Proxy Authentication

After a successful login, the Kubernetes Dashboard should be presented.

Kubernetes Dashboard

The Apache proxy will automatically authenticate to the Kubernetes Dashboard using the feature named: AUTH HEADER.

Kubernetes dashboard Authorization bearer

You have successfully completed the configuration of Apache as a proxy for the Kubernetes Dashboard.