OIDC configuration for your cluster
To enable OpenID Connect authentication and authorization for your cluster, you need to set a couple of flags in the Kubernetes' API Server.
To do this, set the variables below under spec.topology.variables in your Cluster resource:
- name: oidcIssuerUrl
// [!code tooltip:https\://your.oidc-issuer.com:Your OIDC issuer URL]
value: https://your.oidc-issuer.com
- name: oidcClientID
// [!code tooltip:123456789098765432@cluster-1:Your OIDC client ID]
value: 123456789098765432@cluster-1
You are now ready to configure Cluster Roles. Below is a sample role providing read-write access to pods and services:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: my-role
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
And bind this role to a group in your OIDC provider:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admins-binding
subjects:
- kind: Group
name: my-group
roleRef:
kind: ClusterRole
name: my-role
apiGroup: rbac.authorization.k8s.io
Now, every time you access your cluster, you have to pass the auth provider tokens and other information. To simplify this, you can use kubelogin .
You can use one of the following commands to install kubelogin
macOS, Linux, Windows, and ARM shell kubectl krew install oidc-login
Alternatively, you can install it from a Github release. Then you need to make sure that it is in your path as kubectl-oidc_login .
Now you need to change your kubeconfig file to authenticate using it kubelogin . Add the snippet below to it:
users:
- name: oidc
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- oidc-login
- get-token
// [!code tooltip:https\://your.oidc-issuer.com:1:Your OIDC issuer URL]
- --oidc-issuer-url=https://your.oidc-issuer.com
// [!code tooltip:123456789098765432@cluster-1:1:Your OIDC client ID]
- --oidc-client-id=123456789098765432@cluster-1
command: kubectl
The next time you run kubectl you'll be prompted to authenticate with your OIDC provider.