Configure Kubernetes for OIDC Token Validation after Bootstrapping the System

You must configure the Kubernetes cluster’s kube-apiserver to use the oidc-auth-apps OIDC identity provider for validation of tokens in Kubernetes API requests, which use OIDC authentication.

About this task

As an alternative to performing this configuration at bootstrap time as described in Configure Kubernetes for OIDC Token Validation while Bootstrapping the System, you can do so at any time using service parameters.

Procedure

  1. Set the following service parameters using the system service-parameter-add kubernetes kube_apiserver command.

    For example:

    ~(keystone_admin)]$ system service-parameter-add kubernetes kube_apiserver oidc-client-id=stx-oidc-client-app
    
    • oidc-client-id=<client>

      The value of this parameter may vary for different group configurations in your Windows Active Directory or LDAP server.

    • oidc-groups-claim=<groups>

    • oidc-issuer-url=https://<oam-floating-ip>:<oidc-auth-apps-dex-service-NodePort>/dex

      Note

      For IPv6 deployments, ensure that the IPv6 OAM floating address is, https://\[<oam-floating-ip>\]:30556/dex (that is, in lower case, and wrapped in square brackets).

    • oidc-username-claim=<email>

      The values of this parameter may vary for different user configurations in your Windows Active Directory or LDAP server.

    The valid combinations of these service parameters are:

    • none of the parameters

    • oidc-issuer-url, oidc-client-id, and oidc-username-claim

    • oidc-issuer-url, oidc-client-id, oidc-username-claim, and oidc-groups-claim

      Note

      Historical service parameters for OIDC with underscores are still accepted: oidc_client_id, oidc_issuer_url, oidc_username_claim and oidc_groups_claim. These are equivalent to: oidc-client-id, oidc-issuer-url, oidc-username-claim and oidc-groups-claim.

  2. Apply the service parameters.

    ~(keystone_admin)]$ system service-parameter-apply kubernetes
    

    For more information on OIDC Authentication for subclouds, see Centralized vs Distributed OIDC Authentication Setup.