Dex Kubernetes Identity Federation

Published by TechMarmot Editorail Staff on | Category Kubernetes

Kubernetes, while dominating the landscape as the most widely utilized open source container orchestration platform, possesses a fundamental architectural characteristic: it does not natively provide the means to create or manage users. This lack of a native user database is not a technical deficiency but a strategic design choice. By omitting internal user management, Kubernetes allows system administrators to integrate the identity service provider that best fits their specific organizational requirements. Within this ecosystem, Dex has emerged as a premier authentication solution, specifically engineered to bridge the gap between the Kubernetes API server and external identity sources.

Dex is an open source project residing within the CNCF (Cloud Native Computing Foundation) sandbox. Developed by CoreOS, Inc., it functions as a specialized authentication service that leverages OpenID Connect (OIDC) to link Kubernetes and other OIDC-compatible services with a diverse array of identity providers. In practical terms, Dex operates as an intermediary layer, or a bridge, positioned between the kubectl command-line tool and widely used identity providers such as Google, Okta, Microsoft, LinkedIn, and GitHub. This architectural positioning allows organizations to implement centralized user and group management, a requirement that becomes critical as organizations scale and distribute developers across multiple teams.

The Architecture of Dex as an OIDC Issuer

Dex is categorized as a full OIDC issuer. This means that any client that complies with the OpenID Connect standard can run the authorization-code flow against Dex directly. However, it is critical to distinguish Dex from a full Identity and Access Management (IAM) platform. Unlike platforms such as Zitadel, which is an event-sourced IAM platform that owns user data, organizations, and audit logs within a CockroachDB, Dex owns no user state whatsoever. It is not a data plane; rather, it is a protocol adapter.

The core functionality of Dex is to take an upstream identity source—such as LDAP, GitHub, or SAML—and re-expose that identity as OIDC. This means Dex does not replace the existing identity provider but federates it. While other solutions like Authentik may utilize a Python/Django application with its own internal user store and flows engine, Dex delegates all authentication to the upstream provider. It simply translates the response from that provider into standard OIDC claims that Kubernetes can understand.

Because Dex runs on the user's own infrastructure—whether as a Kubernetes deployment, a systemd unit, or a container on any substrate—it ensures that user data and audit logs remain within the internal network. This avoids the pitfalls of managed IAM services, which often bind the authentication path to a specific cloud provider's APIs, billing structures, and outage surfaces.

Connectivity and Integration Ecosystem

Dex provides a vast array of connectors, allowing it to interface with various protocols and providers. This flexibility ensures that regardless of the legacy system an organization uses, they can still leverage OIDC for Kubernetes authentication.

The supported connectors and protocols include:

  • Okta
  • GitHub
  • GitLab
  • Microsoft
  • LinkedIn
  • LDAP
  • SAML 2.0
  • OAuth 2.0
  • Other OpenID Connect services

For organizations with dozens of users distributed among different teams, the implementation of Dex is highly advantageous. The most immediate impact is the elimination of the need to manually create, manage, and distribute kubeconfig files. This reduction in manual overhead results in significant time savings and a substantial increase in security, as sensitive credentials are no longer distributed as static files across developer machines.

Dex and Amazon EKS Integration

In the context of Amazon Elastic Kubernetes Service (Amazon EKS), the integration of Dex provides a powerful alternative to traditional AWS IAM-based authentication. Previously, the primary methods for granting access to an EKS cluster involved creating IAM principles (users or roles) and mapping them to Kubernetes RBAC groups. While alternative approaches like kube-oidc-proxy existed, they relied on impersonation and were often difficult to configure.

The introduction of OIDC support in EKS allows customers to use an OIDC-compatible identity provider of their choosing. This is particularly beneficial for organizations that are reticent to create individual AWS IAM accounts or roles for every developer. By using Dex with Amazon EKS, organizations can grant access using an OIDC-compatible provider, ensuring that identities are logged to the Kubernetes audit log. This gives InfoSec teams the ability to ascribe specific Kubernetes API calls to individual users who authenticate via OIDC, improving auditability and accountability.

Technical Implementation and Configuration

The deployment of Dex typically involves pulling a container image, deploying a Helm chart, or building the project from source, as Dex can run anywhere the Go language is supported. Configuration is handled through a single YAML file where clients, storage, and connectors are defined. This configuration supports templated values natively.

When deploying Dex within a Kubernetes cluster, the service is often exposed using a node port on port 32000. Because this setup may involve specific network routing, it often requires a custom /etc/hosts entry pointing to one of the cluster's worker nodes to ensure the DNS resolution functions correctly.

Kubernetes API Server Configuration

To enable authentication, the Kubernetes API server must be configured with specific OIDC flags. These flags tell the API server how to communicate with Dex and how to validate the tokens it receives.

The following configuration parameters are used:

  • --oidc-issuer-url=https://dex.example.com:32000: This defines the URL of the Dex issuer.
  • --oidc-client-id=example-app: This specifies the ID of the client that the API server is trusting.
  • --oidc-ca-file=/etc/ssl/certs/openid-ca.pem: This provides the Certificate Authority (CA) file used to validate the TLS assets, which is assumed to be present on the cluster nodes.
  • --oidc-username-claim=email: This tells Kubernetes which claim in the JWT should be used as the username.
  • --oidc-groups-claim=groups: This tells Kubernetes which claim should be used to identify the user's group memberships.

A critical limitation of the Kubernetes OIDC configuration is that it can only trust ID Tokens issued to a single client. To bypass this, Dex allows clients to trust other clients to mint tokens on their behalf.

The Authentication Flow and Token Validation

The authentication process begins when an end-user initiates a request to log in to Dex. Dex then redirects the user to the upstream identity provider (e.g., GitHub or Okta). Once the user is authenticated by the upstream provider, Dex receives the response and translates it into a signed JSON Web Token (JWT) called an ID Token.

These ID Tokens contain essential metadata, including:

  • User names
  • Email addresses
  • Unique identifiers
  • Set of groups (which are used for RBAC mapping)

API Server Token Processing

When a request is made to the kube-apiserver containing a bearer token, the API server performs a series of validation steps. At the onset, the kube-apiserver fetches the public keys from Dex to validate the signatures of the bearer tokens.

The validation sequence follows these steps:

  1. Signature Check: The API server verifies that the token was signed by the trusted issuer (Dex).
  2. Expiration Check: The server ensures the token has not expired.
  3. Claims Validation: The server validates the audience (aud) and issuer (iss) claims to ensure the token was intended for the API server.
  4. Attribute Extraction: The server retrieves subject attributes from the token claims to determine who the user is and what groups they belong to.

Starting from Kubernetes v1.30.x, there are two options for connecting Dex to the cluster, including the use of a structured configuration file to set up the authenticator for validating incoming bearer tokens.

Granular Access Control and Token Management

Dex complements Kubernetes by providing capabilities for more granular access control that would be difficult to achieve with static certificates. Because Dex controls the issuance of ID tokens, administrators can specify the duration of these tokens. This is an essential feature for implementing temporary user access, where a token is only valid for a short window of time.

Furthermore, Dex provides administrative control over the lifecycle of authentication:

  • Token Revocation: Administrators can revoke all active ID tokens if a security breach is suspected.
  • Targeted Revocation: Access can be revoked for a specific user or a specific group without affecting the rest of the organization.

This level of control, combined with the ability to map OIDC group claims directly to Kubernetes RBAC roles, creates a highly secure and scalable identity architecture.

Comparison of Dex vs. Other IAM Solutions

To understand the specific role of Dex, it is helpful to compare its architecture against other common identity solutions.

Feature Dex Zitadel Authentik
Primary Role Protocol Adapter / OIDC Issuer Event-sourced IAM Platform IAM with internal user store
User State No user state (Stateless) Owns users in CockroachDB Owns users in internal DB
Data Handling Federates upstream sources Manages own user data Manages own user data
Primary Goal Translation to OIDC Full IAM Lifecycle Flow engine and User Store
Deployment K8s, systemd, Container Managed or Self-hosted Python/Django application

Analysis of Dex in Enterprise Environments

The implementation of Dex represents a shift toward "Identity Federation" rather than "Identity Management." For a small team, the overhead of deploying and maintaining a Dex instance might outweigh the benefits, as simple kubeconfig sharing or basic IAM roles might suffice. However, for enterprise-scale environments, Dex is indispensable.

The real-world impact of using Dex is the decoupling of the identity source from the orchestration platform. If an organization decides to migrate from Okta to GitHub for their identity management, they do not need to reconfigure every single user's access to the Kubernetes cluster. They simply update the connector in the Dex configuration. This creates an abstraction layer that protects the Kubernetes cluster from changes in the upstream identity provider.

Furthermore, the security posture is significantly improved by the use of short-lived tokens. In traditional Kubernetes authentication using client certificates, a leaked certificate could provide access until the certificate expires or the CA is rotated. With Dex, the use of OIDC tokens allows for rapid revocation and strict expiration policies, which reduces the blast radius of a compromised credential.

The integration of Dex into the CNCF sandbox project ensures that it follows the best practices of cloud-native governance, ensuring that the tool remains compatible with the evolving standards of the Kubernetes ecosystem. By leveraging the authorization-code flow and providing a standardized way to handle claims, Dex allows Kubernetes to remain a "pure" orchestrator while gaining the sophisticated authentication capabilities of modern enterprise identity providers.

Sources

  1. vcluster.com
  2. dexidp.io/docs/guides/kubernetes/
  3. dexidp.io
  4. aws.amazon.com/blogs/containers/using-dex-dex-k8s-authenticator-to-authenticate-to-amazon-eks/

Related Posts