Add a custom OIDC provider for MKE¶
Available since 17.0.0, 16.0.0, and 14.1.0
By default, MKE uses Keycloak as the OIDC provider. Using the
ClusterOIDCConfiguration custom resource, you can add your own OpenID
Connect (OIDC) provider for MKE on managed clusters to authenticate user
requests to Kubernetes. For OIDC provider requirements, see OIDC official
For OpenStack and StackLight, Container Cloud supports only Keycloak, which is configured on the management cluster, as the OIDC provider.
To add a custom OIDC provider for MKE:
Configure the OIDC provider:
Log in to the OIDC provider dashboard.
Create an OIDC client. If you are going to use an existing one, skip this step.
Add the MKE
redirectURLof the managed cluster to the OIDC client. By default, the URL format is
<Container Cloud web UI IP>/tokento the OIDC client for generation of
kubeconfigfiles of the target managed cluster through the Container Cloud web UI.
Ensure that the
audclaim of the issued
id_tokenfor audience will be equal to the created client ID.
Optional. Allow MKE to refresh authentication when
id_tokenexpires by allowing the
offline_accessclaim for the OIDC client.
ClusterOIDCConfigurationobject in the YAML format containing the OIDC client settings. For details, see API Reference: ClusterOIDCConfiguration resource for MKE.
ClusterOIDCConfigurationobject is created in the management cluster. Users with the
m:kaas:ns@operator/writer/memberroles have access to this object.
Once done, the following dependent objects are created automatically in the target managed cluster: the
rbac.authorization.k8s.io/v1/ClusterRoleBindingobject that binds the admin group defined in
Clusterobject of the managed cluster, add the name of the
ClusterOIDCConfigurationobject to the
Wait until the cluster machines switch from the
Readystate for the changes to apply.