Talos
Talos is a lightweight API driven full stack Kubernetes system. As with any Kubernetes server, you can set it up to authenticate users using OIDC. This guide details configuring Talos to use Pocket ID as the Authentication and Authorization server
Pocket ID Setup
- In Pocket-ID create a new OIDC Client, name it i.e.
Kubernetes. - Set a logo for this OIDC Client if you would like too.
- Set the callback URL to:
http://localhost:8000. - Copy the
Client ID, and theClient Secretfor use in the next steps.
Talos setup
Modify the cluster.apiServer block to include the below
cluster:
apiServer:
image: registry.k8s.io/kube-apiserver:v1.33.1 # The container image used in the API server manifest.
+ extraArgs:
+ oidc-issuer-url: <url of pocket-id>
+ oidc-client-id: <Client ID from Pocket ID>
+ oidc-username-claim: sub
+ oidc-groups-claim: groups
+ oidc-groups-prefix: "oidc:"
Create a Cluster role binding linking the admin group you wish to have in to Kubernetes. In the below example, there is a group
called kubernetes in Pocket ID that our user is assigned to
# filename=crb.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admins-from-pass-keys
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: oidc:kubernetes
Apply this
kubectl apply -f crb.yaml
Modify Kubeconfig file
You will need to install a command line tool kubelogin - Refer to the github repo for instructions related to your system.
Run the below command to generate a config and validate the token is working
kubectl oidc-login setup \
--oidc-issuer-url=<pocket ID url> \
--oidc-client-id=<client ID> \
--oidc-client-secret=<client secret> \
--oidc-extra-scope=groups,email,name,sub,email_verified
You need to ensure that your email is verified as Kubernetes requires this when working with OIDC
You should get a response similar to
{
"aud": "a60960a8-c856-43b7-add7-50d83bf7eeab",
"email": "[email protected]",
"email_verified": true,
"exp": 1749867571,
"groups": [
"kubernetes"
],
"iat": 1749863971,
"iss": "<Pocket ID url>",
"nonce": "sLY0SUaiLxe9JDfUpNEsBDbhKceOB-T1zxxRYJPQbvk",
"sub": "643c3fba-370a-4738-92a6-9ergec96cd99"
}
Create a new user in your ~/.kube/config file with the below
- name: pocket-id
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- oidc-login
- get-token
- --oidc-issuer-url=<pocket ID url>
- --oidc-client-id=<pocket ID url>
- --oidc-client-secret=<pocket ID url>
- --oidc-extra-scope=groups
- --oidc-extra-scope=email
- --oidc-extra-scope=name
Then update your current context to use this user
- context:
cluster: testing
namespace: default
- user: admin@testng
+ user: pocket-id
name: testing