Introduction
Dex is an open-source, OIDC-compliant identity provider (IdP) that enables federated authentication through connectors to external identity systems such as GitHub, Google, LDAP, and SAML-based providers.
Dex acts as a bridge between Kubernetes-native workloads and enterprise-grade identity systems, allowing the Cake platform to standardize authentication across services while preserving existing workflows. It is often used in tandem with Kubernetes RBAC and service meshes like Istio to implement comprehensive security models.
The Cake platform’s uses for Dex include:
Single Sign-On (SSO) Across Platforms: Enables users to authenticate once with their corporate identity (e.g., Google Workspace, GitHub) and access multiple Cake systems securely.
OIDC Compatibility: Acts as a standard OpenID Connect provider, integrating seamlessly with tools like Istio, Kubernetes API server, Grafana, and custom internal applications.
Federated Identity Management: Connects to multiple upstream identity providers, supporting hybrid environments and diverse user bases across the organization.
Custom Claims and Scopes: Supports identity enrichment with custom claims, enabling fine-grained access control policies across Cake’s services and clusters.
Lightweight and Extensible: Designed to be simple to deploy and easy to customize via a variety of connectors and identity mappings.
Within the Cake platform, Dex is deployed as a core component of the authentication architecture, serving both interactive users (e.g., engineers accessing the cluster or observability tools) and machine identities in a secure and auditable way. It integrates with downstream systems via OIDC and provides identity tokens that are used to authorize access throughout the platform.