ClusterOIDCConfiguration resource for MKE

Available since 17.0.0, 16.0.0, and 14.1.0

This section contains description of the OpenID Connect (OIDC) custom resource for Mirantis Container Cloud that you can use to customize OIDC for Mirantis Kubernetes Engine (MKE) on managed clusters. Using this resource, add your own OIDC provider to authenticate user requests to Kubernetes. For OIDC provider requirements, see OIDC official specification.

The creation procedure of the ClusterOIDCConfiguration for a managed cluster is described in Add a custom OIDC provider for MKE.

The Container Cloud ClusterOIDCConfiguration custom resource contains the following fields:

  • apiVersion

    The API version of the object that is kaas.mirantis.com/v1alpha1.

  • kind

    The object type that is ClusterOIDCConfiguration.

  • metadata

    The metadata object field of the ClusterOIDCConfiguration resource contains the following fields:

    • name

      The object name.

    • namespace

      The project name (Kubernetes namespace) of the related managed cluster.

  • spec

    The spec object field of the ClusterOIDCConfiguration resource contains the following fields:

    • adminRoleCriteria

      Definition of the id_token claim with the admin role and the role value.

      • matchType

        Matching type of the claim with the requested role. Possible values that MKE uses to match the claim with the requested value:

        • must

          Requires a plain string in the id_token claim, for example, "iam_role": "mke-admin".

        • contains

          Requires an array of strings in the id_token claim, for example, "iam_role": ["mke-admin", "pod-reader"].

      • name

        Name of the admin id_token claim containing a role or array of roles.

      • value

        Role value that matches the "iam_role" value in the admin id_token claim.

    • caBundle

      Base64-encoded certificate authority bundle of the OIDC provider endpoint.

    • clientID

      ID of the OIDC client to be used by Kubernetes.

    • clientSecret

      Secret value of the clientID parameter. After the ClusterOIDCConfiguration object creation, this field is updated automatically with a reference to the corresponding Secret. For example:

      clientSecret:
      secret:
        key: value
        name: CLUSTER_NAME-wqbkj
      
    • issuer

      OIDC endpoint.

Configuration example:

apiVersion: kaas.mirantis.com/v1alpha1
kind: ClusterOIDCConfiguration
metadata:
  name: CLUSTER_NAME
  namespace: CLUSTER_NAMESPACE
spec:
  adminRoleCriteria:
    matchType: contains
    name: iam_roles
    value: mke-admin
  caBundle: BASE64_ENCODED_CA
  clientID: MY_CLIENT
  clientSecret:
    value: MY_SECRET
  issuer: https://auth.example.com/