starlingx/docs
Code Issues Proposed changes
Files
b88b09404afeed43cd6ac9ea06962c4f6bee15ab
docs/doc/source/security/kubernetes/centralized-vs-distributed-oidc-auth-setup.rest
Suzana Fernandes 0bf77eef8e Update User Management Section in the SECURITY guide 
Change-Id: I753b0cd3912d2f9bc53c50906c05e90f2443d3f0
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
2025-10-15 17:30:18 +00:00

107 lines
4.0 KiB
ReStructuredText
Raw Blame History

.. afi1590692698424
.. _centralized-vs-distributed-oidc-auth-setup:
----------------------------------------------------
Centralized vs Distributed OIDC Authentication Setup
----------------------------------------------------
In a |prod-dc| configuration, you can configure |OIDC| authentication in a
distributed or centralized setup. For other configurations, like |AIO-SX|,
|AIO-DX| or Standard Cloud, follow the instructions in the distributed setup
documented below.
.. _centralized-vs-distributed-oidc-auth-setup-section-ugc-xr5-wlb:
Distributed Setup
-----------------
For a distributed setup, configure the **kube-apiserver** and the
**oidc-auth-apps** independently for each cloud, System Controller, and all
subclouds. The **oidc-auth-apps** runs on each active controller of the setup
and the **kube-apiserver** is configured to point to the local instance of
**oidc-auth-apps**. For more information, see:
.. _centralized-vs-distributed-oidc-auth-setup-ul-gjs-ds5-wlb:
- Configure Kubernetes for |OIDC| Token Validation
- :ref:`Configure Kubernetes for OIDC Token Validation while
Bootstrapping the System
<configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system>`
**or**
- :ref:`Configure Kubernetes for OIDC Token Validation after
Bootstrapping the System
<configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system>`
- :ref:`Configure OIDC Auth Applications <configure-oidc-auth-applications>`
All clouds **oidc-auth-apps** can be configured to communicate to the same
or different authentication servers (Windows Active Directory and/or |LDAP|).
However, each cloud manages |OIDC| tokens individually. A user must login,
authenticate, and get an |OIDC| token for each cloud independently.
.. _centralized-vs-distributed-oidc-auth-setup-section-yqz-yr5-wlb:
Centralized Setup
-----------------
For a centralized setup, the **oidc-auth-apps** is configured '**only**' on
the System Controller. The **kube-apiserver** must be configured on all
clouds, System Controller, and all subclouds, to point to the centralized
**oidc-auth-apps** running on the System Controller. In the centralized
setup, a user logs in, authenticates, and gets an |OIDC| token from the
Central System Controller's |OIDC| identity provider, and uses the |OIDC| token
with '**any**' of the subclouds as well as the System Controller cloud.
For a centralized |OIDC| authentication setup, use the following procedure:
.. rubric:: |proc|
#. Configure the **kube-apiserver** parameters on the System Controller and
each subcloud either during bootstrapping or by using the **system
service-parameter-add kubernetes kube_apiserver** command after
bootstrapping the system, using the System Controller's floating OAM IP
address as the oidc-issuer-url for all clouds.
For example,
``oidc-issuer-url=https://<central-cloud-floating-ip>:<oidc-auth-apps-dex
-service-NodePort>/dex`` on the subcloud.
For more information, see:
- :ref:`Configure Kubernetes for OIDC Token Validation while
Bootstrapping the System
<configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system>`
**or**
- :ref:`Configure Kubernetes for OIDC Token Validation after
Bootstrapping the System
<configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system>`
#. Configure the **oidc-auth-apps** only on the System Controller. For more
information, see :ref:`Configure OIDC Auth Applications
<configure-oidc-auth-applications>`
.. rubric:: |postreq|
For more information on configuring Users, Groups, Authorization, and
**kubectl** for the user and retrieving the token on subclouds, see:
.. _centralized-vs-distributed-oidc-auth-setup-ul-vf3-jnl-vlb:
- :ref:`Configure Users, Groups, and Authorization <configure-users-groups-and-authorization>`
- :ref:`Configure Kubernetes Client Access <configure-kubernetes-client-access>`
View Git Blame Copy Permalink