Centralized OIDC Authentication Setup for Distributed Cloud

In a Distributed Cloud configuration, you can configure OIDC authentication in a distributed or centralized setup.

Distributed Setup

For a distributed setup, configure the kube-apiserver, and oidc-auth-apps independently for each cloud, System Controller, and all subclouds. For more information, see:

All clouds oidc-auth-apps can be configured to communicate to the same or different remote Windows Active Directory servers, however, each cloud manages OIDC tokens individually. A user must login, authenticate, and get an OIDC token for each cloud independently.

Centralized Setup

For a centralized setup, the oidc-auth-apps is configured ‘only’ on the System Controller. The kube-apiserver must be configured on all clouds, System Controller, and all subclouds, to point to the centralized oidc-auth-apps running on the System Controller. In the centralized setup, a user logs in, authenticates, and gets an OIDC token from the Central System Controller’s OIDC identity provider, and uses the OIDC token with ‘any’ of the subclouds as well as the System Controller cloud.

For a centralized OIDC authentication setup, use the following procedure:

Procedure

  1. Configure the kube-apiserver parameters on the System Controller and each subcloud during bootstrapping, or by using the system service-parameter-add kubernetes kube_apiserver command after bootstrapping the system, using the System Controller’s floating OAM IP address as the oidc-issuer-url for all clouds.

    For example, oidc-issuer-url=https://<central-cloud-floating-ip>:<oidc-auth-apps-dex -service-NodePort>/dex on the subcloud.

    For more information, see:

  2. On the System Controller only configure the oidc-auth-apps. For more information, see Configure OIDC Auth Applications.

    Note

    For IPv6 deployments, ensure that the IPv6 OAM floating address is, https://[<central-cloud-floating-ip>]:30556/dex (that is, in lower case, and wrapped in square brackets).

Postrequisites

For more information on configuring Users, Groups, Authorization, and kubectl for the user and retrieving the token on subclouds, see:

For more information on Obtaining the Authentication Token, see: