OpenID Connect (OIDC) allows Kubernetes users to authenticate using an external identity provider instead of static certificates or manually managed credentials.
With OIDC authentication, you can log into your clusters managed by Syself Autopilot using existing organizational accounts while Kubernetes delegates authentication to a trusted identity provider.
This approach simplifies access management and improves security for production Kubernetes environments.
Before configuring Kubernetes OIDC authentication, you need an identity provider that supports OpenID Connect.
Common options include:
For self-hosted environments, Syself commonly recommends Authentik. It provides OpenID Connect support, user management, group synchronization, and Single Sign-On capabilities in a modern self-hosted platform.
The identity provider is responsible for authenticating users and issuing the tokens Kubernetes uses for authentication and authorization.
To enable OIDC authentication and authorization for your cluster, you need to set a couple of flags in the Kubernetes' API Server.
To do this, set the variables below under spec.topology.variables in your Cluster resource:
You are now ready to configure Cluster Roles. Below is a sample role providing read-write access to pods and services:
And bind this role to a group in your OIDC provider:
Kubernetes does not automatically perform browser-based OIDC authentication for clients, such as kubectl.
To simplify the authentication flow, we recommend using kubelogin , which handles token retrieval and automatically refreshes credentials when needed.
You can use one of the following commands to install kubelogin
Alternatively, you can install it from a Github release. Then you need to make sure that it is in your path as kubectl-oidc_login .
Now you need to change your kubeconfig file to authenticate using it kubelogin . Add the snippet below to it:
The next time you run kubectl you'll be prompted to authenticate with your OIDC provider.
Designing Kubernetes authentication and RBAC strategies can become complex, especially in multi-team or production environments.
The Syself team can help with:
If you want help integrating OIDC into your Kubernetes environment, contact the Syself team.