Use cases for kubectl authentication by configuring OIDC authentication settings using Ncloud Single Sign-On

Available in VPC

This is an example of adding Ncloud Single Sign-On Tenant as an issuer in OpenID Connect (OIDC) authentication setting and using kubectl through portal login.

Note

Here are prerequisites for testing the example.

krew is installed.
oidc-login/kubelogin is installed.
Ncloud Single Sign-On Tenant/Application is created.

Setting oidc-login plugin

Perform oidc-login setup with the Issuer URL, ClientID, and ClinetSecret generated in Ncloud Single Sign-On.
- When the login screen appears in the browser, log in. If you are already logged in, the login screen will not be displayed.
```
kubectl oidc-login setup \
--oidc-issuer-url=https://sso.ncloud.com/tenants/f42162be-f574-477f-985b-c624579f2b08 \
--oidc-client-id=bf24746a-1957-4d45-8ad6-da86029296b2 \
--oidc-client-secret=22202039-c06d-4ad0-95d0-fb537378cc20
```

Check the contents of id_token.

{
  "sub": "bcf8067c-da7e-4818-ae58-39add6bd7e6a",
  "aud": "bf24746a-1957-4d45-8ad6-da86029296b2",
  "id_no": "bcf8067c-da7e-4818-ae58-39add6bd7e6a",
  "user_type": "CUSTOMER",
  "azp": bf24746a-1957-4d45-8ad6-da86029296b2",
  "user_name": "nbp",
  "iss": "https:\/\/sso.ncloud.com\/tenants\/f42162be-f574-477f-985b-c624579f2b08",
  "mbr_no": "2551575",
  "exp": 1670295764,
  "iat": 1670293964,
  "nonce": "IZ32TJmuMGF1iisd8t7VGGSF2DkT5PY1FmVwpbT85Uw"
}

In the IAM authentication state, add the cluster role for the oidc authentication user with kubeconfig.

If you do not set up username prefix/claim in the Ncloud Kubernetes Service OIDC setting, iss#sub is set as the username by default.

To change username, you can specify prefix/claim in OIDC setting No. 4.

kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user='https://sso.ncloud.com/tenants/f42162be-f574-477f-985b-c624579f2b08#bcf8067c-da7e-4818-ae58-39add6bd7e6a'

On the console, perform Ncloud Kubernetes Service OpenID Connect (OIDC) authentication setting
- Issuer URL: https://sso.ncloud.com/tenants/f42162be-f574-477f-985b-c624579f2b08
- Client ID: bf24746a-1957-4d45-8ad6-da86029296b2

Add oidc authentication to the kubeconfig file.

kubectl config set-credentials oidc \
  --exec-api-version=client.authentication.k8s.io/v1 \
  --exec-command=kubectl \
  --exec-arg=oidc-login \
  --exec-arg=get-token \
  --exec-arg=--oidc-issuer-url=https://sso.ncloud.com/tenants/f42162be-f574-477f-985b-c624579f2b08 \
  --exec-arg=--oidc-client-id=bf24746a-1957-4d45-8ad6-da86029296b2 \
  --exec-arg=--oidc-client-secret=22202039-c06d-4ad0-95d0-fb537378cc20 \
  --exec-arg=--oidc-extra-scope=groups

Use oidc authentication to execute the kubectl command.
```
kubectl --user=oidc get nodes
```
Set the current kubeconfig context to use oidc authentication.
```
kubectl config set-context --current --user=oidc
```