Add a custom OIDC provider for MKE¶
Available since 17.0.0, 16.0.0, and 14.1.0
By default, MKE uses Keycloak as the OIDC provider. Using the
ClusterOIDCConfiguration custom resource, you can add your own OpenID
Connect (OIDC) provider for MKE on managed clusters to authenticate user
requests to Kubernetes. For OIDC provider requirements, see OIDC official
specification.
Note
For OpenStack and StackLight, Container Cloud supports only Keycloak, which is configured on the management cluster, as the OIDC provider.
To add a custom OIDC provider for MKE:
Configure the OIDC provider:
Log in to the OIDC provider dashboard.
Create an OIDC client. If you are going to use an existing one, skip this step.
Add the MKE
redirectURLof the managed cluster to the OIDC client. By default, the URL format ishttps://<MKE IP>:6443/login.Add the
<Container Cloud web UI IP>/tokento the OIDC client for generation ofkubeconfigfiles of the target managed cluster through the Container Cloud web UI.Ensure that the
audclaim of the issuedid_tokenfor audience will be equal to the created client ID.Optional. Allow MKE to refresh authentication when
id_tokenexpires by allowing theoffline_accessclaim for the OIDC client.
Create the
ClusterOIDCConfigurationobject in the YAML format containing the OIDC client settings. For details, see API Reference: ClusterOIDCConfiguration resource for MKE.The
ClusterOIDCConfigurationobject is created in the management cluster. Users with them:kaas:ns@operator/writer/memberroles have access to this object.Once done, the following dependent objects are created automatically in the target managed cluster: the
rbac.authorization.k8s.io/v1/ClusterRoleBindingobject that binds the admin group defined inspec:adminRoleCriteria:valueto thecluster-adminrbac.authorization.k8s.io/v1/ClusterRoleobject.In the
Clusterobject of the managed cluster, add the name of theClusterOIDCConfigurationobject to thespec.providerSpec.value.oidcfield.Wait until the cluster machines switch from the
ReconfiguretoReadystate for the changes to apply.