ClusterOIDCConfiguration resource for MKE¶
Available since 17.0.0, 16.0.0, and 14.1.0
This section contains description of the OpenID Connect (OIDC) custom resource for Mirantis Container Cloud that you can use to customize OIDC for Mirantis Kubernetes Engine (MKE) on managed clusters. Using this resource, add your own OIDC provider to authenticate user requests to Kubernetes. For OIDC provider requirements, see OIDC official specification.
The creation procedure of the ClusterOIDCConfiguration
for a managed
cluster is described in Add a custom OIDC provider for MKE.
The Container Cloud ClusterOIDCConfiguration
custom resource contains
the following fields:
apiVersion
The API version of the object that is
kaas.mirantis.com/v1alpha1
.
kind
The object type that is
ClusterOIDCConfiguration
.
metadata
The
metadata
object field of theClusterOIDCConfiguration
resource contains the following fields:name
The object name.
namespace
The project name (Kubernetes namespace) of the related managed cluster.
spec
The
spec
object field of theClusterOIDCConfiguration
resource contains the following fields:adminRoleCriteria
Definition of the
id_token
claim with the admin role and the role value.matchType
Matching type of the claim with the requested role. Possible values that MKE uses to match the claim with the requested value:
must
Requires a plain string in the
id_token
claim, for example,"iam_role": "mke-admin"
.
contains
Requires an array of strings in the
id_token
claim, for example,"iam_role": ["mke-admin", "pod-reader"]
.
name
Name of the admin
id_token
claim containing a role or array of roles.
value
Role value that matches the
"iam_role"
value in the adminid_token
claim.
caBundle
Base64-encoded certificate authority bundle of the OIDC provider endpoint.
clientID
ID of the OIDC client to be used by Kubernetes.
clientSecret
Secret
value
of theclientID
parameter. After theClusterOIDCConfiguration
object creation, this field is updated automatically with a reference to the corresponding Secret. For example:clientSecret: secret: key: value name: CLUSTER_NAME-wqbkj
issuer
OIDC endpoint.
Configuration example:
apiVersion: kaas.mirantis.com/v1alpha1
kind: ClusterOIDCConfiguration
metadata:
name: CLUSTER_NAME
namespace: CLUSTER_NAMESPACE
spec:
adminRoleCriteria:
matchType: contains
name: iam_roles
value: mke-admin
caBundle: BASE64_ENCODED_CA
clientID: MY_CLIENT
clientSecret:
value: MY_SECRET
issuer: https://auth.example.com/