Mr. Morris, thanks again for the excellent explanation. I have a question regarding to multiple cluster authentication. Currently, we (in my organization) download the cluster's KubeConfig from Rancher's web UI and save it in the .kube folder, changing between contexts using kubie. Following your step by step, should we execute kubie ctx to choose the correct context before using the kubectl commands?
@@multivalfran Hi, thanks for watching. I mean yes you have to make sure you are in the right context (cluster) before executing any commands. Your question seems to be unrelated to Keycloak and Kubernetes OIDC cluster authentication though. Perhaps you can clarify.
Amazing stuff . This is by far the best demo regarding k8s authN and authZ using kyecloak. One queation please. Which vscode theme you use in your videos 🤘🏻
Hey, Morris! Thanks for another great guide video! One question - if i have several control planes, do i need to edit kube server api manifest on each one of them?
Hi thanks for watching. If you have multiple control-plane nodes but only send requests to one node via kubectl then configuring just the one node will be enough. However if you connect to your cluster via a load balancer which load-balances requests across all the control-plane nodes then you need to reconfigure the kube-apiserver on all the nodes. Each kube-apiserver receiving API requests needs to know where to send token validation requests which in this case is the Keycloak server.
@@EngineeringWithMorris Awesome, thanks for clarifying that, mate! I have LB, yes, so will configure it on all nodes. Cant wait to start implementing it. Love your channel and save all your videos to my Tube Archivist. Best of luck
Hi Morris, Amaizing content! any idea how can I configure the SSO on remote cluster nodes with no GUI/web browser, as those nodes are only accessible via SSH and use a command-line interface
Great content, Morris! How do you authenticate to the Kube-API via OIDC when Keycloak isn't running for some reason or the pods were terminated? This is the main reason why I was struggling to manage such critical services like Authentication providers or secret management tools like Vault within a Kubernetes cluster. However I'm not happy with this solution to keep this kind of critical infrastructure components on separate virtual machines in production. Could you please share your thoughts on handling such critical components in production? Thanks 🙏
Hi thanks a lot. I normally handle such issues by having multiple clusters at least two(east and west). Critical services can be configured to failover to the other cluster. Non critical applications can be maintained in only one cluster. I also configure replication and federation for the applications that support it. I also do my best to avoid reverting back to VMs, if it can run in a container the I always find a ways to deploy it to k8s.
@@EngineeringWithMorrisThanks for sharing your thoughts. I will definitely try to take a look on multi cluster deployments or similar approaches like automatic failover to other clusters, if I understood correctly. Usually we spread our masters and worker nodes across different datacenters with good latency, but it would be great to have some kind of resilience against entire cluster outages.
Hi, You can look into using a validating webhook admission controller to define more fine grained controls not possible with plain RABAC. Checkout Open Policy Agent.
Alright thank you. I went through it but doesn't seems to really do what I want. Let me detail my problem. Consider that we have two users/developers, John and James. Now, I have a kubernetes cluster with two pods inside, pod1 and pod2. I want John to access pod1 only and not pod2. similarly, I want James to access pod2 and not pod1. The same scenario occurs if I want them to access nodes. I hope it is clear now. I look forward to your reply, thank you. @@EngineeringWithMorris
Should be something with the camera settings, funny thing is that some people say it’s actually fine while others see an issue. But will definitely recheck everything, either my camera or export settings. Thanks for your feedback
![Setup Kubernetes Cluster Using Kubeadm [Multi-node]](http://i.ytimg.com/vi/xX52dc3u2HU/mqdefault.jpg)
very clear and precise video, thank you
Thank you for your knowledge Mr. Morris
Awesome content bro
Mr. Morris, thanks again for the excellent explanation. I have a question regarding to multiple cluster authentication. Currently, we (in my organization) download the cluster's KubeConfig from Rancher's web UI and save it in the .kube folder, changing between contexts using kubie. Following your step by step, should we execute kubie ctx to choose the correct context before using the kubectl commands?
@@multivalfran Hi, thanks for watching. I mean yes you have to make sure you are in the right context (cluster) before executing any commands. Your question seems to be unrelated to Keycloak and Kubernetes OIDC cluster authentication though. Perhaps you can clarify.
Thank you my brother for this great vid
Amazing stuff . This is by far the best demo regarding k8s authN and authZ using kyecloak.
One queation please. Which vscode theme you use in your videos 🤘🏻
Thanks a lot mate for your support. For the vscode theme checkout poimandres.
Hey, Morris! Thanks for another great guide video! One question - if i have several control planes, do i need to edit kube server api manifest on each one of them?
Hi thanks for watching. If you have multiple control-plane nodes but only send requests to one node via kubectl then configuring just the one node will be enough. However if you connect to your cluster via a load balancer which load-balances requests across all the control-plane nodes then you need to reconfigure the kube-apiserver on all the nodes.
Each kube-apiserver receiving API requests needs to know where to send token validation requests which in this case is the Keycloak server.
@@EngineeringWithMorris Awesome, thanks for clarifying that, mate! I have LB, yes, so will configure it on all nodes. Cant wait to start implementing it. Love your channel and save all your videos to my Tube Archivist. Best of luck
Hi Morris, Amaizing content! any idea how can I configure the SSO on remote cluster nodes with no GUI/web browser, as those nodes are only accessible via SSH and use a command-line interface
I’m also interested in this , I hope author can see us
Great content, Morris!
How do you authenticate to the Kube-API via OIDC when Keycloak isn't running for some reason or the pods were terminated?
This is the main reason why I was struggling to manage such critical services like Authentication providers or secret management tools like Vault within a Kubernetes cluster.
However I'm not happy with this solution to keep this kind of critical infrastructure components on separate virtual machines in production.
Could you please share your thoughts on handling such critical components in production?
Thanks 🙏
Hi thanks a lot.
I normally handle such issues by having multiple clusters at least two(east and west). Critical services can be configured to failover to the other cluster. Non critical applications can be maintained in only one cluster. I also configure replication and federation for the applications that support it.
I also do my best to avoid reverting back to VMs, if it can run in a container the I always find a ways to deploy it to k8s.
@@EngineeringWithMorrisThanks for sharing your thoughts.
I will definitely try to take a look on multi cluster deployments or similar approaches like automatic failover to other clusters, if I understood correctly.
Usually we spread our masters and worker nodes across different datacenters with good latency, but it would be great to have some kind of resilience against entire cluster outages.
Hello, I want users to access only certain pods in a cluster. How do I do that? Is it possible?
Hi, You can look into using a validating webhook admission controller to define more fine grained controls not possible with plain RABAC. Checkout Open Policy Agent.
Alright thank you. I went through it but doesn't seems to really do what I want. Let me detail my problem. Consider that we have two users/developers, John and James. Now, I have a kubernetes cluster with two pods inside, pod1 and pod2. I want John to access pod1 only and not pod2. similarly, I want James to access pod2 and not pod1.
The same scenario occurs if I want them to access nodes. I hope it is clear now.
I look forward to your reply, thank you. @@EngineeringWithMorris
bro what's happening with your videos lately, they have this thing where they're laggy, not sure how to describe it
Should be something with the camera settings, funny thing is that some people say it’s actually fine while others see an issue. But will definitely recheck everything, either my camera or export settings. Thanks for your feedback
I didn’t notice until I saw this comment now I see it like crazy.
I think it’s a 4k rendering issue