starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system.rst
Keane Lim 3c5fa979a4 Security guide update 
Re-organized topic hierarchy

Tiny edit to restart review workflow.

Squashed with Resolved index.rst conflict commit

Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5
Signed-off-by: Keane Lim <keane.lim@windriver.com>
Signed-off-by: MCamp859 <maryx.camp@intel.com>
2021-03-12 15:10:40 -05:00

2.5 KiB
Raw Blame History

Configure Kubernetes for OIDC Token Validation after Bootstrapping the System

You must configure the Kubernetes cluster's kube-apiserver to use the oidc-auth-apps identity provider for validation of tokens in Kubernetes API requests, which use authentication.

As an alternative to performing this configuration at bootstrap time as described in Configure Kubernetes for OIDC Token Validation while Bootstrapping the System <configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system>, you can do so at any time using service parameters.

  1. Set the following service parameters using the system service-parameter-add kubernetes kube\_apiserver command.

    For example:

    ~(keystone_admin)$ system service-parameter-add kubernetes kube_apiserver oidc_client_id=stx-oidc-client-app

    • oidc_client_id=<client>

      The value of this parameter may vary for different group configurations in your Windows Active Directory server.

    • oidc_groups_claim=<groups>

    • oidc_issuer_url=https://<oam-floating-ip>:<oidc-auth-apps-dex-service-NodePort>/dex

      Note

      For IPv6 deployments, ensure that the IPv6 OAM floating address is, https://\[<oam-floating-ip>]:30556/dex (that is, in lower case, and wrapped in square brackets).

    • oidc_username_claim=<email>

      The values of this parameter may vary for different user configurations in your Windows Active Directory server.

    The valid combinations of these service parameters are:

    • none of the parameters
    • oidc_issuer_url, oidc_client_id, and oidc_username_claim
    • oidc_issuer_url, oidc_client_id, oidc_username_claim, and oidc_groups_claim

  2. Apply the service parameters.

    ~(keystone_admin)$ system service-parameter-apply kubernetes

    For more information on Authentication for subclouds, see Centralized OIDC Authentication Setup for Distributed Cloud <centralized-oidc-authentication-setup-for-distributed-cloud>.