0bf77eef8e
Change-Id: I753b0cd3912d2f9bc53c50906c05e90f2443d3f0 Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
86 lines
3.2 KiB
ReStructuredText
86 lines
3.2 KiB
ReStructuredText
|
|
.. ydd1583939542169
|
|
.. _configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system:
|
|
|
|
-----------------------------------------------------------------------------
|
|
Configure Kubernetes for OIDC Token Validation after Bootstrapping the System
|
|
-----------------------------------------------------------------------------
|
|
|
|
You must configure the Kubernetes cluster's **kube-apiserver** to use the
|
|
**oidc-auth-apps** |OIDC| identity provider for validation of tokens in
|
|
Kubernetes API requests, which use |OIDC| authentication.
|
|
|
|
.. rubric:: |context|
|
|
|
|
As an alternative to performing this configuration at bootstrap time as
|
|
described in :ref:`Configure Kubernetes for OIDC Token Validation while
|
|
Bootstrapping the System
|
|
<configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system>`,
|
|
you can do so at any time using service parameters.
|
|
|
|
.. rubric:: |proc|
|
|
|
|
|
|
.. _configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system-steps-vlw-k2p-zkb:
|
|
|
|
#. Set the following service parameters using the :command:`system
|
|
service-parameter-add kubernetes kube_apiserver` command.
|
|
|
|
For example:
|
|
|
|
.. code-block:: none
|
|
|
|
~(keystone_admin)]$ system service-parameter-add kubernetes kube_apiserver oidc-client-id=stx-oidc-client-app
|
|
|
|
~(keystone_admin)]$ system service-parameter-add kubernetes kube_apiserver oidc-issuer-url=https://${OAMIP}:<oidc-auth-apps-dex-service-NodePort>/dex
|
|
|
|
~(keystone_admin)]$ system service-parameter-add kubernetes kube_apiserver oidc-username-claim=email
|
|
|
|
~(keystone_admin)]$ system service-parameter-add kubernetes kube_apiserver oidc-groups-claim=groups
|
|
|
|
where:
|
|
|
|
**<oidc-auth-apps-dex-service-NodePort>** is the port to be configured for
|
|
the NodePort service for dex in **oidc-auth-apps**. The default is 30556.
|
|
|
|
The values of the **oidc-username-claim**, and **oidc-groups-claim** parameters
|
|
could vary for different user and groups configurations in your Windows
|
|
Active Directory or |LDAP| server.
|
|
|
|
.. note::
|
|
For IPv6 deployments, ensure that the IPv6 OAM floating address
|
|
is, ``https://\[<oam-floating-ip>\]:30556/dex`` (that is, in lower
|
|
case, and wrapped in square brackets).
|
|
|
|
The valid combinations of these service parameters are:
|
|
|
|
|
|
- none of the parameters
|
|
|
|
- oidc-issuer-url, oidc-client-id, and oidc-username-claim
|
|
|
|
- oidc-issuer-url, oidc-client-id, oidc-username-claim, and oidc-groups-claim
|
|
|
|
.. note::
|
|
Historical service parameters for |OIDC| with underscores are still
|
|
accepted: oidc_client_id, oidc_issuer_url, oidc_username_claim and
|
|
oidc_groups_claim. These are equivalent to: oidc-client-id, oidc-issuer-url,
|
|
oidc-username-claim and oidc-groups-claim.
|
|
|
|
.. only:: partner
|
|
|
|
.. include:: /_includes/oidc-service-parameters-migration.rest
|
|
|
|
|
|
#. Apply the service parameters.
|
|
|
|
.. code-block:: none
|
|
|
|
~(keystone_admin)]$ system service-parameter-apply kubernetes
|
|
|
|
For more information on |OIDC| Authentication for subclouds, see
|
|
:ref:`Centralized vs Distributed OIDC Authentication Setup
|
|
<centralized-vs-distributed-oidc-auth-setup>`.
|
|
|
|
|