Added GitLab CI OIDC

nicholasdille · web-flow · commit 81bb4835969c · 2025-01-17T15:58:28.000+01:00
diff --git a/120_kubernetes/oidc/README.md b/120_kubernetes/oidc/README.md
@@ -0,0 +1,27 @@
+# Authenticate GitLab CI jobs against Kubernetes using GitLab OIDC
+
+XXX
+
+## Prepare
+
+Deploy a Kubernetes cluster with authentication configuration from `auth-config.yaml`:
+
+```shell
+kind create cluster \
+    --name gitlab-ci-oidc \
+    --config kind.yaml \
+    --wait 5m
+```
+
+Deploy GitLab runner:
+
+```shell
+helm repo add gitlab https://charts.gitlab.io
+helm repo update
+helm upgrade --install \
+    gitlab-runner gitlab/gitlab-runner \
+    --values values-gitlab-runner.yaml \
+    --set runnerRegistrationToken=TOKEN \
+    --wait \
+    --timeout 5m
+```
diff --git a/120_kubernetes/oidc/auth-config.yaml b/120_kubernetes/oidc/auth-config.yaml
@@ -0,0 +1,92 @@
+---
+apiVersion: apiserver.config.k8s.io/v1beta1
+kind: AuthenticationConfiguration
+jwt:
+- issuer:
+    # url must be unique across all authenticators.
+    # url must not conflict with issuer configured in --service-account-issuer.
+    url: https://gitlab.example.com
+    # audiences is the set of acceptable audiences the JWT must be issued to.
+    # At least one of the entries must match the "aud" claim in presented JWTs.
+    audiences:
+    - gitlab_user_auth
+    # this is required to be set to "MatchAny" when multiple audiences are specified.
+    audienceMatchPolicy: MatchAny
+  claimMappings:
+    # username represents an option for the username attribute.
+    # This is the only required attribute.
+    username:
+      # Same as --oidc-username-claim. Mutually exclusive with username.expression.
+      claim: preferred_username
+      # Same as --oidc-username-prefix. Mutually exclusive with username.expression.
+      # if username.claim is set, username.prefix is required.
+      # Explicitly set it to "" if no prefix is desired.
+      prefix: "oidc:"
+    # groups represents an option for the groups attribute.
+    groups:
+      # Same as --oidc-groups-claim. Mutually exclusive with groups.expression.
+      claim: groups_direct
+      # Same as --oidc-groups-prefix. Mutually exclusive with groups.expression.
+      # if groups.claim is set, groups.prefix is required.
+      # Explicitly set it to "" if no prefix is desired.
+      prefix: "gitlab:"
+    # uid represents an option for the uid attribute.
+    uid:
+      # Mutually exclusive with uid.expression.
+      claim: preferred_username
+- issuer:
+    # url must be unique across all authenticators.
+    # url must not conflict with issuer configured in --service-account-issuer.
+    url: https://gitlab.example.com/
+    # audiences is the set of acceptable audiences the JWT must be issued to.
+    # At least one of the entries must match the "aud" claim in presented JWTs.
+    audiences:
+    - gitlab_ci_auth
+    # this is required to be set to "MatchAny" when multiple audiences are specified.
+    audienceMatchPolicy: MatchAny
+  claimMappings:
+    # username represents an option for the username attribute.
+    # This is the only required attribute.
+    username:
+      # Same as --oidc-username-claim. Mutually exclusive with username.expression.
+      claim: sub
+      # Same as --oidc-username-prefix. Mutually exclusive with username.expression.
+      # if username.claim is set, username.prefix is required.
+      # Explicitly set it to "" if no prefix is desired.
+      prefix: "gitlab-ci:"
+    # groups represents an option for the groups attribute.
+    groups:
+      # Same as --oidc-groups-claim. Mutually exclusive with groups.expression.
+      claim: namespace_path
+      # Same as --oidc-groups-prefix. Mutually exclusive with groups.expression.
+      # if groups.claim is set, groups.prefix is required.
+      # Explicitly set it to "" if no prefix is desired.
+      prefix: "gitlab-ci:"
+    # uid represents an option for the uid attribute.
+    uid:
+      # Mutually exclusive with uid.expression.
+      claim: sub
+    # extra attributes to be added to the UserInfo object. Keys must be domain-prefix path and must be unique.
+    #extra:
+    #  # key is a string to use as the extra attribute key.
+    #  # key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
+    #  # subdomain as defined by RFC 1123. All characters trailing the first "/" must
+    #  # be valid HTTP Path characters as defined by RFC 3986.
+    #  # k8s.io, kubernetes.io and their subdomains are reserved for Kubernetes use and cannot be used.
+    #  # key must be lowercase and unique across all extra attributes.
+    #- key: gitlab.haufedev.systems/namespace
+    #  valueExpression: namespace_id
+    #- key: gitlab.haufedev.systems/project
+    #  valueExpression: project_id
+    #- key: gitlab.haufedev.systems/triggerer
+    #  valueExpression: user_id
+    #- key: gitlab.haufedev.systems/pipeline
+    #  valueExpression: pipeline_id
+    #- key: gitlab.haufedev.systems/job
+    #  valueExpression: job_id
+    #- key: gitlab.haufedev.systems/runner
+    #  valueExpression: runner_id
+    #- key: gitlab.haufedev.systems/ref
+    #  valueExpression: ref
+    #- key: gitlab.haufedev.systems/sha
+    #  valueExpression: sha
diff --git a/120_kubernetes/oidc/kind.yaml b/120_kubernetes/oidc/kind.yaml
@@ -6,30 +6,30 @@ nodes:
   - |
     kind: ClusterConfiguration
     apiServer:
-        # enable auditing flags on the API server
-        extraArgs:
-          audit-log-path: /var/log/kubernetes/kube-apiserver-audit.log
-          audit-policy-file: /etc/kubernetes/policies/audit-policy.yaml
-          oidc-issuer-url: https://gitlab.com
-          oidc-client-id: $GL_APP_ID
-          oidc-username-claim: preferred_username
-          oidc-username-prefix: "oidc:"
-          oidc-groups-claim: groups_direct
-          oidc-groups-prefix: "gitlab:"
-        # mount new files / directories on the control plane
-        extraVolumes:
-          - name: audit-policies
-            hostPath: /etc/kubernetes/policies
-            mountPath: /etc/kubernetes/policies
-            readOnly: true
-            pathType: "DirectoryOrCreate"
-          - name: "audit-logs"
-            hostPath: "/var/log/kubernetes"
-            mountPath: "/var/log/kubernetes"
-            readOnly: false
-            pathType: DirectoryOrCreate
-  # mount the local file on the control plane
+      extraArgs:
+        audit-log-path: /var/log/kubernetes/kube-apiserver-audit.log
+        audit-policy-file: /etc/kubernetes/policies/audit-policy.yaml
+        authentication-config: /etc/kubernetes/auth/auth-config.yaml
+      extraVolumes:
+      - name: audit-policies
+        hostPath: /etc/kubernetes/policies
+        mountPath: /etc/kubernetes/policies
+        readOnly: true
+        pathType: DirectoryOrCreate
+      - name: audit-logs
+        hostPath: /var/log/kubernetes
+        mountPath: /var/log/kubernetes
+        readOnly: false
+        pathType: DirectoryOrCreate
+      - name: auth-config
+        hostPath: /etc/kubernetes/auth
+        mountPath: /etc/kubernetes/auth
+        readOnly: false
+        pathType: DirectoryOrCreate
   extraMounts:
   - hostPath: ./audit-policy.yaml
     containerPath: /etc/kubernetes/policies/audit-policy.yaml
+    readOnly: true
+  - hostPath: ./auth-config.yaml
+    containerPath: /etc/kubernetes/auth/auth-config.yaml
     readOnly: true
diff --git a/120_kubernetes/oidc/rbac.yaml b/120_kubernetes/oidc/rbac.yaml
@@ -10,3 +10,15 @@ roleRef:
 subjects:
 - kind: Group
   name: gitlab:k8s-oidc-demo
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: oidc-test
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: view
+subjects:
+- kind: User
+  name: gitlab-ci:project_path:DilleN/foo:ref_type:branch:ref:main
diff --git a/120_kubernetes/oidc/values-gitlab-runner.yaml b/120_kubernetes/oidc/values-gitlab-runner.yaml
@@ -0,0 +1,54 @@
+image:
+  registry: registry.gitlab.com
+  image: gitlab-org/gitlab-runner
+  #tag: alpine-v16.4.0
+imagePullPolicy: Always
+probeTimeoutSeconds: 5
+
+## How many runner pods to launch.
+##
+## Note: Using more than one replica is not supported with a runnerToken. Use a runnerRegistrationToken
+## to create multiple runner replicas.
+# replicas: 1
+
+gitlabUrl: https://gitlab.example.com/
+
+unregisterRunners: true
+terminationGracePeriodSeconds: 3600
+concurrent: 5
+checkInterval: 5
+
+rbac:
+  create: true
+  rules:
+    - resources: ["pods", "secrets", "configmaps"]
+      verbs: ["get", "list", "watch", "create", "patch", "delete", "update"]
+    - apiGroups: [""]
+      resources: ["pods/attach", "pods/exec"]
+      verbs: ["create", "patch", "delete"]
+  clusterWideAccess: false
+  podSecurityPolicy:
+    enabled: false
+    resourceNames:
+      - gitlab-runner
+
+runners:
+  config: |
+    [[runners]]
+      executor = "kubernetes"
+
+      [runners.kubernetes]
+        image = "alpine"
+  locked: false
+
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  privileged: false
+  capabilities:
+    drop: ["ALL"]
+
+podSecurityContext:
+  runAsUser: 100
+  fsGroup: 65533
