starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system.rst
Joaci Morais 2dcd4bf282 Documentation changes for OIDC 
Two updates were made:

1 - OIDC has been up versioned recently, then the dex version was
updated.
2 - The edited note lets the user know when they update their system
the OIDC service parameters with underscores will be automatically
migrated(renamed) to the latest format with dashes:

+---------------------+---------------------+
|    Legacy Format    |    Latest Format    |
+---------------------+---------------------+
| oidc_client_id      | oidc-client-id      |
| oidc_groups_claim   | oidc-groups-claim   |
| oidc_issuer_url     | oidc-issuer-url     |
| oidc_username_claim | oidc-username-claim |
+---------------------+---------------------+

Story: 2011085
Task: 50524
Change-Id: Iaf7d194b18918977bc121e82584a1c2de2dbd628
Signed-off-by: Joaci Morais <Joaci.deMorais@windriver.com>
2024-09-03 15:06:45 -03:00

2.9 KiB
Raw Blame History

Configure Kubernetes for OIDC Token Validation after Bootstrapping the System

You must configure the Kubernetes cluster's kube-apiserver to use the oidc-auth-apps identity provider for validation of tokens in Kubernetes API requests, which use authentication.

As an alternative to performing this configuration at bootstrap time as described in Configure Kubernetes for OIDC Token Validation while Bootstrapping the System <configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system>, you can do so at any time using service parameters.

  1. Set the following service parameters using the system service-parameter-add kubernetes kube_apiserver command.

    For example:

    ~(keystone_admin)]$ system service-parameter-add kubernetes kube_apiserver oidc-client-id=stx-oidc-client-app

    • oidc-client-id=<client>

      The value of this parameter may vary for different group configurations in your Windows Active Directory or server.

    • oidc-groups-claim=<groups>

    • oidc-issuer-url=https://<oam-floating-ip>:<oidc-auth-apps-dex-service-NodePort>/dex

      Note

      For IPv6 deployments, ensure that the IPv6 OAM floating address is, https://\[<oam-floating-ip>]:30556/dex (that is, in lower case, and wrapped in square brackets).

    • oidc-username-claim=<email>

      The values of this parameter may vary for different user configurations in your Windows Active Directory or server.

    The valid combinations of these service parameters are:

    • none of the parameters

    • oidc-issuer-url, oidc-client-id, and oidc-username-claim

    • oidc-issuer-url, oidc-client-id, oidc-username-claim, and oidc-groups-claim

      Note

      Historical service parameters for with underscores are still accepted: oidc_client_id, oidc_issuer_url, oidc_username_claim and oidc_groups_claim. These are equivalent to: oidc-client-id, oidc-issuer-url, oidc-username-claim and oidc-groups-claim.

    partner

  2. Apply the service parameters.

    ~(keystone_admin)]$ system service-parameter-apply kubernetes

    For more information on Authentication for subclouds, see Centralized vs Distributed OIDC Authentication Setup <centralized-vs-distributed-oidc-auth-setup>.