f125a8b892
This change addresses a long-standing issue in rST documentation imported from XML.
That import process added backslash escapes in front of various characters. The three
most common being '(', ')', and '_'.
These instances are removed.
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e
2.2 KiB
Configure Kubernetes for OIDC Token Validation while Bootstrapping the System
You must configure the Kubernetes cluster's kube-apiserver to use the oidc-auth-apps identity provider for validation of tokens in Kubernetes API requests, which use authentication.
Complete these steps to configure Kubernetes for token validation during bootstrapping and deployment.
The values set in this procedure can be changed at any time using
service parameters as described in Configure Kubernetes for OIDC Token
Validation after Bootstrapping the System
<configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system>.
Configure the Kubernetes cluster kube-apiserver by adding the following parameters to the localhost.yml file, during bootstrap:
# cd ~ # cat <<EOF > /home/sysadmin/localhost.yml apiserver_oidc: client_id: <stx-oidc-client-app> issuer_url: https://<oam-floating-ip>:<oidc-auth-apps-dex-service-NodePort>/dex username_claim: <email> groups_claim: <groups> EOFwhere:
<oidc-auth-apps-dex-service-NodePort>
is the port to be configured for the NodePort service for dex in oidc-auth-apps. The default is 30556.
The values of the username_claim, and groups_claim parameters could vary for different user and groups configurations in your Windows Active Directory server.
Note
For IPv6 deployments, ensure that the IPv6 OAM floating address in the issuer_url is, https://\[<oam-floating-ip>]:30556/dex (that is, in lower case, and wrapped in square brackets).
For more information on Authentication for subclouds, see Centralized OIDC Authentication Setup for Distributed Cloud
<centralized-oidc-authentication-setup-for-distributed-cloud>.