docs/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system.rst


.. ydd1583939542169
.. _configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system:

=============================================================================
Configure Kubernetes for OIDC Token Validation after Bootstrapping the System
=============================================================================

You must configure the Kubernetes cluster's **kube-apiserver** to use the
**oidc-auth-apps** |OIDC| identity provider for validation of tokens in
Kubernetes API requests, which use |OIDC| authentication.

.. rubric:: |context|

As an alternative to performing this configuration at bootstrap time as
described in :ref:`Configure Kubernetes for OIDC Token Validation while
Bootstrapping the System
<configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system>`,
you can do so at any time using service parameters.

.. rubric:: |proc|


.. _configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system-steps-vlw-k2p-zkb:

#.  Set the following service parameters using the :command:`system
    service-parameter-add kubernetes kube_apiserver` command.

    For example:

    .. code-block:: none

        ~(keystone_admin)]$ system service-parameter-add kubernetes kube_apiserver oidc-client-id=stx-oidc-client-app


    -   oidc-client-id=<client>

        The value of this parameter may vary for different group
        configurations in your Windows Active Directory server.

    -   oidc-groups-claim=<groups>

    -   oidc-issuer-url=https://<oam-floating-ip>:<oidc-auth-apps-dex-service-NodePort>/dex

        .. note::
            For IPv6 deployments, ensure that the IPv6 OAM floating address
            is, https://\[<oam-floating-ip>\]:30556/dex (that is, in lower
            case, and wrapped in square brackets).

    -   oidc-username-claim=<email>

        The values of this parameter may vary for different user
        configurations in your Windows Active Directory server.


    The valid combinations of these service parameters are:


    -   none of the parameters

    -   oidc-issuer-url, oidc-client-id, and oidc-username-claim

    -   oidc-issuer-url, oidc-client-id, oidc-username-claim, and oidc-groups-claim

        .. note::
            Historical service parameters for |OIDC| with underscores are still
            accepted: oidc_client_id, oidc_issuer_url, oidc_username_claim and
            oidc_groups_claim. These are equivalent to: oidc-client-id, oidc-issuer-url,
            oidc-username-claim and oidc-groups-claim.

#.  Apply the service parameters.

    .. code-block:: none

        ~(keystone_admin)]$ system service-parameter-apply kubernetes

    For more information on |OIDC| Authentication for subclouds, see
    :ref:`Centralized OIDC Authentication Setup for Distributed Cloud
    <centralized-oidc-authentication-setup-for-distributed-cloud>`.
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. ydd1583939542169`
			`.. _configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system:`

			`=============================================================================`
			`Configure Kubernetes for OIDC Token Validation after Bootstrapping the System`
			`=============================================================================`

			`You must configure the Kubernetes cluster's kube-apiserver to use the`
			`oidc-auth-apps \|OIDC\| identity provider for validation of tokens in`
			`Kubernetes API requests, which use \|OIDC\| authentication.`

			`.. rubric:: \|context\|`

			`As an alternative to performing this configuration at bootstrap time as`
			described in :ref:`Configure Kubernetes for OIDC Token Validation while
			`Bootstrapping the System`
			<configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system>`,
			`you can do so at any time using service parameters.`

			`.. rubric:: \|proc\|`


			`.. _configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system-steps-vlw-k2p-zkb:`

			#. Set the following service parameters using the :command:`system
Remove spurious escapes (r8,dsR8) This change addresses a long-standing issue in rST documentation imported from XML. That import process added backslash escapes in front of various characters. The three most common being '(', ')', and '_'. These instances are removed. Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e 2023-02-28 14:02:05 +00:00			service-parameter-add kubernetes kube_apiserver` command.
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`For example:`

			`.. code-block:: none`

Updated OIDC service parameter names - Added a note about historical service parameters for OIDC. - Renamed the parameters to have dashes instead of underscores. - Removed occurrences of "\" before "-". Story: 2009766 Task: 46855 Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: I47e5ab3c689184bdec20b39b2a00bf999ac5706a 2022-11-11 17:38:21 -03:00			`~(keystone_admin)]$ system service-parameter-add kubernetes kube_apiserver oidc-client-id=stx-oidc-client-app`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00

Updated OIDC service parameter names - Added a note about historical service parameters for OIDC. - Renamed the parameters to have dashes instead of underscores. - Removed occurrences of "\" before "-". Story: 2009766 Task: 46855 Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: I47e5ab3c689184bdec20b39b2a00bf999ac5706a 2022-11-11 17:38:21 -03:00			`- oidc-client-id=<client>`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`The value of this parameter may vary for different group`
			`configurations in your Windows Active Directory server.`

Updated OIDC service parameter names - Added a note about historical service parameters for OIDC. - Renamed the parameters to have dashes instead of underscores. - Removed occurrences of "\" before "-". Story: 2009766 Task: 46855 Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: I47e5ab3c689184bdec20b39b2a00bf999ac5706a 2022-11-11 17:38:21 -03:00			`- oidc-groups-claim=<groups>`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Updated OIDC service parameter names - Added a note about historical service parameters for OIDC. - Renamed the parameters to have dashes instead of underscores. - Removed occurrences of "\" before "-". Story: 2009766 Task: 46855 Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: I47e5ab3c689184bdec20b39b2a00bf999ac5706a 2022-11-11 17:38:21 -03:00			`- oidc-issuer-url=https://<oam-floating-ip>:<oidc-auth-apps-dex-service-NodePort>/dex`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. note::`
			`For IPv6 deployments, ensure that the IPv6 OAM floating address`
Remove spurious escapes (r8,dsR8) This change addresses a long-standing issue in rST documentation imported from XML. That import process added backslash escapes in front of various characters. The three most common being '(', ')', and '_'. These instances are removed. Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e 2023-02-28 14:02:05 +00:00			`is, https://\[<oam-floating-ip>\]:30556/dex (that is, in lower`
			`case, and wrapped in square brackets).`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Updated OIDC service parameter names - Added a note about historical service parameters for OIDC. - Renamed the parameters to have dashes instead of underscores. - Removed occurrences of "\" before "-". Story: 2009766 Task: 46855 Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: I47e5ab3c689184bdec20b39b2a00bf999ac5706a 2022-11-11 17:38:21 -03:00			`- oidc-username-claim=<email>`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`The values of this parameter may vary for different user`
			`configurations in your Windows Active Directory server.`


			`The valid combinations of these service parameters are:`


			`- none of the parameters`

Updated OIDC service parameter names - Added a note about historical service parameters for OIDC. - Renamed the parameters to have dashes instead of underscores. - Removed occurrences of "\" before "-". Story: 2009766 Task: 46855 Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: I47e5ab3c689184bdec20b39b2a00bf999ac5706a 2022-11-11 17:38:21 -03:00			`- oidc-issuer-url, oidc-client-id, and oidc-username-claim`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Updated OIDC service parameter names - Added a note about historical service parameters for OIDC. - Renamed the parameters to have dashes instead of underscores. - Removed occurrences of "\" before "-". Story: 2009766 Task: 46855 Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: I47e5ab3c689184bdec20b39b2a00bf999ac5706a 2022-11-11 17:38:21 -03:00			`- oidc-issuer-url, oidc-client-id, oidc-username-claim, and oidc-groups-claim`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Updated OIDC service parameter names - Added a note about historical service parameters for OIDC. - Renamed the parameters to have dashes instead of underscores. - Removed occurrences of "\" before "-". Story: 2009766 Task: 46855 Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: I47e5ab3c689184bdec20b39b2a00bf999ac5706a 2022-11-11 17:38:21 -03:00			`.. note::`
			`Historical service parameters for \|OIDC\| with underscores are still`
			`accepted: oidc_client_id, oidc_issuer_url, oidc_username_claim and`
			`oidc_groups_claim. These are equivalent to: oidc-client-id, oidc-issuer-url,`
			`oidc-username-claim and oidc-groups-claim.`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`#. Apply the service parameters.`

			`.. code-block:: none`

Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`~(keystone_admin)]$ system service-parameter-apply kubernetes`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`For more information on \|OIDC\| Authentication for subclouds, see`
			:ref:`Centralized OIDC Authentication Setup for Distributed Cloud
			<centralized-oidc-authentication-setup-for-distributed-cloud>`.