×

As an administrator, you can configure OAuth to specify an identity provider after you install your cluster. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API.

The OKD master includes a built-in OAuth server.

About identity providers in OKD

You can configure identity providers by creating a custom resource (CR) that describes the provider and adding it to the cluster. Identity providers enable user authentication in OKD beyond the default kubeadmin user.

OKD user names containing /, :, and % are not supported.

Supported identity providers

You can configure the following types of identity providers:

Identity provider Description

Configure the htpasswd identity provider to validate user names and passwords against a flat file generated using htpasswd.

Configure the keystone identity provider to integrate your OKD cluster with Keystone to enable shared authentication with an OpenStack Keystone v3 server configured to store users in an internal database.

Configure the ldap identity provider to validate user names and passwords against an LDAPv3 server, using simple bind authentication.

Configure a basic-authentication identity provider for users to log in to OKD with credentials validated against a remote identity provider. Basic authentication is a generic backend integration mechanism.

Configure a request-header identity provider to identify users from request header values, such as X-Remote-User. It is typically used in combination with an authenticating proxy, which sets the request header value.

Configure a github identity provider to validate user names and passwords against GitHub or GitHub Enterprise’s OAuth authentication server.

Configure a gitlab identity provider to use GitLab.com or any other GitLab instance as an identity provider.

Configure a google identity provider using Google’s OpenID Connect integration.

Configure an oidc identity provider to integrate with an OpenID Connect identity provider using an Authorization Code Flow.

Once an identity provider has been defined, you can use RBAC to define and apply permissions.

Removing the kubeadmin user

After you define an identity provider and create a new cluster-admin user, you can remove the kubeadmin to improve cluster security.

If you follow this procedure before another user is a cluster-admin, then OKD must be reinstalled. It is not possible to undo this command.

Prerequisites
  • You must have configured at least one identity provider.

  • You must have added the cluster-admin role to a user.

  • You must be logged in as an administrator.

Procedure
  • Remove the kubeadmin secrets:

    $ oc delete secrets kubeadmin -n kube-system

Identity provider parameters

The following parameters are common to all identity providers:

Parameter Description

name

The provider name is prefixed to provider user names to form an identity name.

mappingMethod

Defines how new identities are mapped to users when they log in. Enter one of the following values:

claim

The default value. Provisions a user with the identity’s preferred user name. Fails if a user with that user name is already mapped to another identity.

lookup

Looks up an existing identity, user identity mapping, and user, but does not automatically provision users or identities. This allows cluster administrators to set up identities and users manually, or using an external process. Using this method requires you to manually provision users.

add

Provisions a user with the identity’s preferred user name. If a user with that user name already exists, the identity is mapped to the existing user, adding to any existing identity mappings for the user. Required when multiple identity providers are configured that identify the same set of users and map to the same user names.

When adding or changing identity providers, you can map identities from the new provider to existing users by setting the mappingMethod parameter to add.

Sample identity provider CR

You can use a custom resource (CR) to see the parameters and default values that you use to configure an identity provider.

The following example uses the htpasswd identity provider.

Sample identity provider CR
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: my_identity_provider
    mappingMethod: claim
    type: HTPasswd
    htpasswd:
      fileData:
        name: htpass-secret

where:

spec.identityProviders.name

Specifies the provider name, which is prefixed to provider user names to form an identity name.

spec.identityProviders.mappingMethod

Specifies how mappings are established between this provider’s identities and User objects.

spec.identityProviders.htpasswd.fileData.name

Specifies an existing secret containing a file generated using htpasswd.

Manually provisioning a user when using the lookup mapping method

You can manually provision users when the lookup mapping method is enabled. The lookup method disables automatic identity-to-user mapping during login, requiring manual provisioning of each user after configuring the identity provider.

Prerequisites
  • You have installed the OpenShift CLI (oc).

Procedure
  1. Create an OKD user:

    $ oc create user <username>
  2. Create an OKD identity:

    $ oc create identity <identity_provider>:<identity_provider_user_id>

    Where <identity_provider_user_id> is a name that uniquely represents the user in the identity provider.

  3. Create a user identity mapping for the created user and identity:

    $ oc create useridentitymapping <identity_provider>:<identity_provider_user_id> <username>