Configure Kubernetes for OIDC Token Validation while Bootstrapping the System¶

You must configure the Kubernetes cluster’s kube-apiserver to use the oidc-auth-apps OIDC identity provider for validation of tokens in Kubernetes API requests, which use OIDC authentication.

About this task

Complete these steps to configure Kubernetes for OIDC token validation during bootstrapping and deployment.

The values set in this procedure can be changed at any time using service parameters as described in Configure Kubernetes for OIDC Token Validation after Bootstrapping the System.

Procedure

Configure the Kubernetes cluster kube-apiserver by adding the following parameters to the localhost.yml file, during bootstrap:
```
# cd ~
# cat <<EOF > /home/sysadmin/localhost.yml
apiserver_oidc:
  client_id: <stx-oidc-client-app>
  issuer_url: https://<oam-floating-ip>:<oidc-auth-apps-dex-service-NodePort>/dex
  username_claim: <email>
  groups_claim: <groups>
EOF
```
where:

<oidc-auth-apps-dex-service-NodePort>

is the port to be configured for the NodePort service for dex in oidc-auth-apps. The default is 30556.

The values of the username_claim, and groups_claim parameters could vary for different user and groups configurations in your Windows Active Directory or LDAP server.

Note

For IPv6 deployments, ensure that the IPv6 OAM floating address in the issuer_url is, https://[<oam-floating-ip>]:30556/dex (that is, in lower case, and wrapped in square brackets).

Results

For more information on OIDC Authentication for subclouds, see Centralized vs Distributed OIDC Authentication Setup.

Configure Kubernetes for OIDC Token Validation while Bootstrapping the System

Configure Kubernetes for OIDC Token Validation while Bootstrapping the System¶

StarlingX