___ ____ _ _ ____ _ _ _ _ ____ _ _ ____ _ _ ____ ____
| | | |_/ |___ |\ | \/ | |__| |__| |\ | | __ |___
| |__| | \_ |___ | \| _/\_ |___ | | | | | \| |__] |___
This is a Kubernetes client credentials exec provider that enables cross Kubernetes cluster authorization using Kubernetes Service Account tokens and Dex token-exchange.
Originally developed to allow ArgoCD Application Controller on one cluster to manage resources on a remote cluster in a multi cloud environment where using GKE / EKS IAM authentication was impractical.
ExecCredential
object that can read by kubectl
and other tools (e.g. ArgoCD).oidc
connector for the source cluster.
oidc
settings that allow it to trust tokens signed by Dex.connectors:
- id: argocd-cluster
name: argocd-cluster
type: oidc
config:
issuer: https://oidc-argocd-cluster.s3.us-east-1.amazonaws.com
scopes:
- openid
- federated:id
userNameKey: sub
issuer: https://dex.example.com
staticClients:
- id: target-cluster
name: target-cluster
secret: not-a-secret
public: true
"--oidc-client-id=target-cluster",
"--oidc-issuer-url=https://dex.example.com",
"--oidc-username-claim=sub",
"--oidc-username-prefix=oidc:",
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: remote-argocd-application-controller
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: remote-argocd-application-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: remote-argocd-application-controller
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: oidc:system:serviceaccount:argocd:argocd-application-controller