Configure Kubernetes for OIDC Token Validation while Bootstrapping the System¶
You must configure the Kubernetes cluster’s kube-apiserver to use the oidc-auth-apps OIDC identity provider for validation of tokens in Kubernetes API requests, which use OIDC authentication.
About this task
Complete these steps to configure Kubernetes for OIDC token validation during bootstrapping and deployment.
The values set in this procedure can be changed at any time using service parameters as described in Configure Kubernetes for OIDC Token Validation after Bootstrapping the System.
Configure the Kubernetes cluster kube-apiserver by adding the following parameters to the localhost.yml file, during bootstrap:
# cd ~ # cat <<EOF > /home/sysadmin/localhost.yml apiserver_oidc: client_id: <stx-oidc-client-app> issuer_url: https://<oam-floating-ip>:<oidc-auth-apps-dex-service-NodePort>/dex username_claim: <email> groups_claim: <groups> EOF
is the port to be configured for the NodePort service for dex in oidc-auth-apps. The default is 30556.
The values of the username_claim, and groups_claim parameters could vary for different user and groups configurations in your Windows Active Directory server.
For IPv6 deployments, ensure that the IPv6 OAM floating address in the issuer_url is, https://[<oam-floating-ip>]:30556/dex (that is, in lower case, and wrapped in square brackets).
For more information on OIDC Authentication for subclouds, see Centralized OIDC Authentication Setup for Distributed Cloud.