docs/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system.rst

Configure Kubernetes for OIDC Token Validation while Bootstrapping the System

You must configure the Kubernetes cluster's kube-apiserver to use the oidc-auth-apps identity provider for validation of tokens in Kubernetes API requests, which use authentication.

Complete these steps to configure Kubernetes for token validation during bootstrapping and deployment.

The values set in this procedure can be changed at any time using service parameters as described in Configure Kubernetes for OIDC Token Validation after Bootstrapping the System <configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system>.

• Configure the Kubernetes cluster kube-apiserver by adding the following parameters to the localhost.yml file, during bootstrap:

  # cd ~
  # cat <<EOF > /home/sysadmin/localhost.yml
  apiserver_oidc:
    client_id: <stx-oidc-client-app>
    issuer_url: https://<oam-floating-ip>:<oidc-auth-apps-dex-service-NodePort>/dex
    username_claim: <email>
    groups_claim: <groups>
  EOF

  where:

  <oidc-auth-apps-dex-service-NodePort>

  is the port to be configured for the NodePort service for dex in oidc-auth-apps. The default is 30556.

  The values of the username_claim, and groups_claim parameters could vary for different user and groups configurations in your Windows Active Directory server.

  Note

  For IPv6 deployments, ensure that the IPv6 OAM floating address in the issuer_url is, https://\[<oam-floating-ip>]:30556/dex (that is, in lower case, and wrapped in square brackets).

For more information on Authentication for subclouds, see Centralized OIDC Authentication Setup for Distributed Cloud <centralized-oidc-authentication-setup-for-distributed-cloud>.