As an administrator, you can configure OAuth to specify an identity provider after you install your cluster. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API.
The OKD master includes a built-in OAuth server.
You can configure identity providers by creating a custom resource (CR) that describes the provider and adding it to the cluster. Identity providers enable user authentication in OKD beyond the default kubeadmin user.
|
OKD user names containing |
You can configure the following types of identity providers:
| Identity provider | Description |
|---|---|
Configure the |
|
Configure the |
|
Configure the |
|
Configure a |
|
Configure a |
|
Configure a |
|
Configure a |
|
Configure a |
|
Configure an |
Once an identity provider has been defined, you can use RBAC to define and apply permissions.
After you define an identity provider and create a new cluster-admin
user, you can remove the kubeadmin to improve cluster security.
|
If you follow this procedure before another user is a |
You must have configured at least one identity provider.
You must have added the cluster-admin role to a user.
You must be logged in as an administrator.
Remove the kubeadmin secrets:
$ oc delete secrets kubeadmin -n kube-system
The following parameters are common to all identity providers:
| Parameter | Description |
|---|---|
|
The provider name is prefixed to provider user names to form an identity name. |
|
Defines how new identities are mapped to users when they log in. Enter one of the following values:
|
When adding or changing identity providers, you can map identities from the new
provider to existing users by setting the mappingMethod parameter to
add.
|
You can use a custom resource (CR) to see the parameters and default values that you use to configure an identity provider.
The following example uses the htpasswd identity provider.
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: my_identity_provider
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: htpass-secret
where:
spec.identityProviders.nameSpecifies the provider name, which is prefixed to provider user names to form an identity name.
spec.identityProviders.mappingMethodSpecifies how mappings are established between this provider’s identities and User objects.
spec.identityProviders.htpasswd.fileData.nameSpecifies an existing secret containing a file generated using htpasswd.
You can manually provision users when the lookup mapping method is enabled. The lookup method disables automatic identity-to-user mapping during login, requiring manual provisioning of each user after configuring the identity provider.
You have installed the OpenShift CLI (oc).
Create an OKD user:
$ oc create user <username>
Create an OKD identity:
$ oc create identity <identity_provider>:<identity_provider_user_id>
Where <identity_provider_user_id> is a name that uniquely represents the user in the identity provider.
Create a user identity mapping for the created user and identity:
$ oc create useridentitymapping <identity_provider>:<identity_provider_user_id> <username>