Use cases for kubectl authentication - Configuring OIDC auth settings using Single Sign-On
- Print
- PDF
Use cases for kubectl authentication - Configuring OIDC auth settings using Single Sign-On
- Print
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
Available in VPC
This is an example of adding Ncloud Single Sign-On Tenant as an issuer in OpenID Connect (OIDC) authentication setting and using kubectl through portal login.
Note
The following describes what you need to prepare in advance to test the example.
- Install krew
- Install oidc-login/kubelogin
- Create Ncloud Single Sign-On Tenant / Application
Set oidc-login plugin
- Perform oidc-login setup with the Issuer URL, ClientID, and ClinetSecret generated in Ncloud Single Sign-On.
- When the login screen appears in the browser, log in. If you are already logged in, the login screen will not be displayed.
kubectl oidc-login setup \ --oidc-issuer-url=https://sso.ncloud.com/tenants/f42162be-f574-477f-985b-c624579f2b08 \ --oidc-client-id=bf24746a-1957-4d45-8ad6-da86029296b2 \ --oidc-client-secret=22202039-c06d-4ad0-95d0-fb537378cc20
- When the login screen appears in the browser, log in. If you are already logged in, the login screen will not be displayed.
- Check the contents of id_token.
{ "sub": "bcf8067c-da7e-4818-ae58-39add6bd7e6a", "aud": "bf24746a-1957-4d45-8ad6-da86029296b2", "id_no": "bcf8067c-da7e-4818-ae58-39add6bd7e6a", "user_type": "CUSTOMER", "azp": bf24746a-1957-4d45-8ad6-da86029296b2", "user_name": "nbp", "iss": "https:\/\/sso.ncloud.com\/tenants\/f42162be-f574-477f-985b-c624579f2b08", "mbr_no": "2551575", "exp": 1670295764, "iat": 1670293964, "nonce": "IZ32TJmuMGF1iisd8t7VGGSF2DkT5PY1FmVwpbT85Uw" }
- In the IAM authentication state, add the cluster role for the oidc authentication user with kubeconfig.
- If you do not set up username prefix/claim in the Ncloud Kubernetes Service OIDC setting,
iss
#sub
is set as the username by default. - To change username, you can specify prefix/claim in OIDC setting No. 4.
kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user='https://sso.ncloud.com/tenants/f42162be-f574-477f-985b-c624579f2b08#bcf8067c-da7e-4818-ae58-39add6bd7e6a'
- On the console, perform Ncloud Kubernetes Service OpenID Connect (OIDC) authentication setting.
- Issuer URL: https://sso.ncloud.com/tenants/f42162be-f574-477f-985b-c624579f2b08
- Client ID: bf24746a-1957-4d45-8ad6-da86029296b2
- Add oidc authentication to the kubeconfig file.
kubectl config set-credentials oidc \ --exec-api-version=client.authentication.k8s.io/v1beta1 \ --exec-command=kubectl \ --exec-arg=oidc-login \ --exec-arg=get-token \ --exec-arg=--oidc-issuer-url=https://sso.ncloud.com/tenants/f42162be-f574-477f-985b-c624579f2b08 \ --exec-arg=--oidc-client-id=bf24746a-1957-4d45-8ad6-da86029296b2 \ --exec-arg=--oidc-client-secret=22202039-c06d-4ad0-95d0-fb537378cc20
- Use oidc authentication to execute the kubectl command.
kubectl --user=oidc get nodes
- Set the current kubeconfig context to use oidc authentication.
kubectl config set-context --current --user=oidc
Was this article helpful?