Kubernetes Security, Part 4: Kubernetes Authentication (Part B: Open ID Connect Auth)

In this video, we will discuss the Open ID Connect (OIDC) authentication method for Kubernetes. Although the default X509 client certificate authentication works for small Kubernetes environments, for large organizations, it is not the best method. We will start off by reviewing Kubernetes’ X509 client authentication and how clients are created and then discuss its shortcomings. We will then look at the OIDC architecture and focus on the Okta OIDC provider for this video. We’ll walk through setting up the Authorization server, Okta users, and groups leveraging Terraform Infrastructure as a Code (IaC) scripting. On the Kubernetes side, we will register our newly set up Okta Authorization as an OIDC provider and will create roles, and will map them to our Okta groups. We will then log in to Okta through Kubectl’s Kubelogin plug-in as one of our Okta users and will perform some tests.

Timecodes
0:00 - Intro (Overview of X509 Authentication and its Shortcomings).
6:18 - Open ID Connect (OIDC) Overview.
8:34 - OIDC Authentication Workflow.
14:08 - Demo Overview (Part 1: Prerequisites and Okta Authorization and User/Group Creation
Walkthrough).
16:59 - Demo Overview (Part 2: Roles and RoleBindings for Okta Groups).
19:39 - Demo Part 1: Okta Developer Registration and Admin Web Site.
23:47 - Note and Recommendation on Accessing Okta Admin Page from a Different Machine.
25:21 - Demo Part 2: Create Okta Authorization Server and Okta Users and Groups (Terraform),
Configure Kubernetes with Okta OIDC Settings, and Authenticate to Kubernetes as an
Okta User. Users at This Point Don't Have any RBAC Authorization Yet.
46:48 - Create a "Marketing" Name Space for Our Okta Users and Also Create RBAC Roles and
RobeBindings for Okta Users and Perform Authorization Tests.
1:00:49 - Recap.

My Other Videos:
►Kubernetes Security, Part 3: Kubernetes Auth (Part A: Overview and X509 Client Certificate auth)
►Kubernetes Security, Part 2: Managing POD Run Time Security
► Istio Ambient Service Mesh
► Kubernetes Security, Part 1: Kubernetes Security Overview and Role-Based Access Control (RBAC) in Detail
► Cilium Service Mesh
► Cilium Kubernetes CNI Provider: Part 4, IP Routing Modes (Direct and Encapsulated)
► Cilium Kubernetes CNI Provider, Part 3: Cluster Mesh
►Cilium Kubernetes CNI Provider, Part 2: Security Policies and Observability Leveraging Hubble
► What is VXLAN and How It is Used as an Overlay Network in Kubernetes?
► Managing Linux Log-ins, Users, and Machines in Active Directory (AD): Part 2- Join Linux Machines to AD:
► Managing Linux Log-ins, Users, and Machines in Active Directory (AD): Part 1- Setup AD:
► Sharing Resources between Windows and Linux:
► Kubernetes kube-proxy Modes: iptables and ipvs, Deep Dive:
►Kubernetes: Configuration as Data: Environment Variables, ConfigMaps, and Secrets:
►Configuring and Managing Storage in Kubernetes:
► Istio Service Mesh – Securing Kubernetes Workloads:
► Istio Service Mesh – Intro
► Understanding Kubernetes Networking. Part 6: Calico Network Policies:
► Understanding Kubernetes Networking. Part 5: Intro to Kubernetes Network Policies:
► Understanding Kubernetes Networking. Part 4: Kubernetes Services:
► Understanding Kubernetes Networking Part 3: Calico Kubernetes CNI Provider in depth:
► Understanding Kubernetes Networking. Part 2: POD Network, CNI, and Flannel CNI: Plug-in:
►Understanding Kubernetes Networking. Part 1: Container Networking:
► Setup a Linux-Windows (Calico-based) Hybrid Kubernetes Cluster to Host .NET Containers:
► A Docker and Kubernetes tutorial for beginners:
A Docker and Kubernetes tutorial for beginners. - YouTube
► Setup a "Docker-less" Multi-node Kubernetes Cluster on Ubuntu Server: