-
<namespace_route>refers to the namespace route. This is found by running the following command:$ oc get route oauth-openshift -n openshift-authentication -o json | jq .spec.host
You can interact with OKD, by first authenticating to the cluster. The authentication layer identifies the user associated with requests to the OKD API. The authorization layer then uses information about the requesting user to determine if the request is allowed.
As an administrator, you can configure authentication for OKD.
A user in OKD is an entity that makes API requests and can be granted permissions through role assignments. Users include regular users, system users for infrastructure components, and service accounts associated with projects.
Several types of users can exist:
| User type | Description |
|---|---|
|
This is the way most interactive OKD users are
represented. Regular users are created automatically in the system upon
first login or can be created via the API. Regular users are represented
with the |
|
Many of these are created automatically when the infrastructure
is defined, mainly for the purpose of enabling the infrastructure to
interact with the API securely. They include a cluster administrator
(with access to everything), a per-node user, users for use by routers
and registries, and various others. Finally, there is an |
|
These are special system users associated with projects; some are created automatically when
the project is first created, while project administrators can create more
for the purpose of defining access to the contents of each project.
Service accounts are represented with the |
Each user must authenticate in
some way to access OKD. API requests with no authentication
or invalid authentication are authenticated as requests by the anonymous
system user. After authentication, policy determines what the user is
authorized to do.
Groups represent sets of users and simplify authorization management by allowing administrators to grant permissions to multiple users simultaneously rather than individually. OKD includes both explicitly defined groups and automatically provisioned virtual groups.
In addition to explicitly defined groups, there are also system groups, or virtual groups, that are automatically provisioned by the cluster.
The following default virtual groups are most important:
| Virtual group | Description |
|---|---|
|
Automatically associated with all authenticated users. |
|
Automatically associated with all users authenticated with an OAuth access token. |
|
Automatically associated with all unauthenticated users. |
Requests to the OKD API are authenticated using OAuth access tokens or X.509 client certificates, with invalid credentials rejected and anonymous requests assigned virtual user and group identities for authorization processing.
Obtained from the OKD OAuth server using the
<namespace_route>/oauth/authorize and <namespace_route>/oauth/token
endpoints.
Sent as an Authorization: Bearer… header.
Sent as a websocket subprotocol header in the form
base64url.bearer.authorization.k8s.io.<base64url-encoded-token> for websocket
requests.
Requires an HTTPS connection to the API server.
Verified by the API server against a trusted certificate authority bundle.
The API server creates and distributes certificates to controllers to authenticate themselves.
Any request with an invalid access token or an invalid certificate is rejected
by the authentication layer with a 401 error.
If no access token or certificate is presented, the authentication layer assigns
the system:anonymous virtual user and the system:unauthenticated virtual
group to the request. This allows the authorization layer to determine which
requests, if any, an anonymous user is allowed to make.
The OKD Control Plane includes a built-in OAuth server. Users obtain OAuth access tokens to authenticate themselves to the API.
When a person requests a new OAuth token, the OAuth server uses the configured identity provider to determine the identity of the person making the request.
It then determines what user that identity maps to, creates an access token for that user, and returns the token for use.
OKD automatically creates OAuth clients to handle token requests from different user agents, including browser-based and CLI tools. These clients interact with OAuth endpoints to authenticate users through interactive login flows or WWW-Authenticate challenges.
The following OAuth clients are automatically created when starting the OKD API:
| OAuth client | Usage |
|---|---|
|
Requests tokens at |
|
Requests tokens with a user-agent that can handle |
<namespace_route> refers to the namespace route. This is found by
running the following command:
$ oc get route oauth-openshift -n openshift-authentication -o json | jq .spec.host
All requests for OAuth tokens involve a request to
<namespace_route>/oauth/authorize. Most authentication integrations place an
authenticating proxy in front of this endpoint, or configure
OKD to validate credentials against a backing identity provider.
Requests to <namespace_route>/oauth/authorize can come from user-agents that
cannot display interactive login pages, such as the CLI. Therefore,
OKD supports authenticating using a WWW-Authenticate
challenge in addition to interactive login flows.
If an authenticating proxy is placed in front of the
<namespace_route>/oauth/authorize endpoint, it sends unauthenticated,
non-browser user-agents WWW-Authenticate challenges rather than
displaying an interactive login page or redirecting to an interactive
login flow.
|
To prevent cross-site request forgery (CSRF) attacks against browser
clients, only send Basic authentication challenges with if a
If the authenticating proxy cannot support |
You can configure a request to the OKD API to act as though it originated from another user. For more information, see User impersonation in the Kubernetes documentation.
You can use Prometheus metrics to monitor login activity and troubleshoot authentication failures.
OKD captures the following Prometheus metrics that track authentication attempts and outcomes for both the CLI and web console:
openshift_auth_basic_password_count counts the number of oc login user name and password attempts.
openshift_auth_basic_password_count_result counts the number of oc login user name and password attempts by result, success or error.
openshift_auth_form_password_count counts the number of web console login attempts.
openshift_auth_form_password_count_result counts the number of web console login attempts by result, success or error.
openshift_auth_password_total counts the total number of oc login and web console login attempts.