OIDC configuration for your cluster

Enabling OIDC

To enable OpenID Connect authentication and authorization for your cluster, you need to set a couple of flags in the Kubernetes' API Server.

To do this, set the variables below under spec.topology.variables in your Cluster resource:

yaml
- name: oidcIssuerUrl // [!code tooltip:https\://your.oidc-issuer.com:Your OIDC issuer URL] value: https://your.oidc-issuer.com - name: oidcClientID // [!code tooltip:123456789098765432@cluster-1:Your OIDC client ID] value: 123456789098765432@cluster-1 - name: oidcUsernameClaim // [!code tooltip:sub:Can be either 'sub' or 'email'] value: sub - name: oidcGroupsClaim // [!code tooltip:username:Use 'username' for compatibility with Syself Autopilot] value: username

Create and bind roles

You are now ready to configure Cluster Roles. Below is a sample role providing read-write access to pods and services:

yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: my-role rules: - apiGroups: [""] resources: ["pods", "services"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

And bind this role to a group in your OIDC provider:

yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-admins-binding subjects: - kind: Group name: my-group roleRef: kind: ClusterRole name: my-role apiGroup: rbac.authorization.k8s.io

Accessing the cluster

Now, every time you access your cluster, you have to pass the auth provider tokens and other information. To simplify this, you can use kubelogin .

You can use one of the following commands to install kubelogin

Alternatively, you can install it from a Github release. Then you need to make sure that it is in your path as kubectl-oidc_login .

Now you need to change your kubeconfig file to authenticate using it kubelogin . Add the snippet below to it:

yaml
users: - name: oidc user: exec: apiVersion: client.authentication.k8s.io/v1beta1 args: - oidc-login - get-token // [!code tooltip:https\://your.oidc-issuer.com:1:Your OIDC issuer URL] - --oidc-issuer-url=https://your.oidc-issuer.com // [!code tooltip:123456789098765432@cluster-1:1:Your OIDC client ID] - --oidc-client-id=123456789098765432@cluster-1 command: kubectl

The next time you run kubectl you'll be prompted to authenticate with your OIDC provider.

Next
Access your cluster through a domain