Login
      Contents x
      Use cases for kubectl authentication - Configuring OIDC auth settings using Single Sign-On
        • Print
        • PDF
        Contents

        Use cases for kubectl authentication - Configuring OIDC auth settings using Single Sign-On

          • Print
          • PDF
          Article Summary

          Available in VPC

          This is an example of adding Ncloud Single Sign-On Tenant as an issuer in OpenID Connect (OIDC) authentication setting and using kubectl through portal login.

          Note

          The following describes what you need to prepare in advance to test the example.

          Set oidc-login plugin

          1. Perform oidc-login setup with the Issuer URL, ClientID, and ClinetSecret generated in Ncloud Single Sign-On.
            • When the login screen appears in the browser, log in. If you are already logged in, the login screen will not be displayed.
              kubectl oidc-login setup \
--oidc-issuer-url=https://sso.ncloud.com/tenants/f42162be-f574-477f-985b-c624579f2b08 \
--oidc-client-id=bf24746a-1957-4d45-8ad6-da86029296b2 \
--oidc-client-secret=22202039-c06d-4ad0-95d0-fb537378cc20
          2. Check the contents of id_token.
            {
  "sub": "bcf8067c-da7e-4818-ae58-39add6bd7e6a",
  "aud": "bf24746a-1957-4d45-8ad6-da86029296b2",
  "id_no": "bcf8067c-da7e-4818-ae58-39add6bd7e6a",
  "user_type": "CUSTOMER",
  "azp": bf24746a-1957-4d45-8ad6-da86029296b2",
  "user_name": "nbp",
  "iss": "https:\/\/sso.ncloud.com\/tenants\/f42162be-f574-477f-985b-c624579f2b08",
  "mbr_no": "2551575",
  "exp": 1670295764,
  "iat": 1670293964,
  "nonce": "IZ32TJmuMGF1iisd8t7VGGSF2DkT5PY1FmVwpbT85Uw"
}
          3. In the IAM authentication state, add the cluster role for the oidc authentication user with kubeconfig.
          • If you do not set up username prefix/claim in the Ncloud Kubernetes Service OIDC setting, iss#sub is set as the username by default.
          • To change username, you can specify prefix/claim in OIDC setting No. 4.
            kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user='https://sso.ncloud.com/tenants/f42162be-f574-477f-985b-c624579f2b08#bcf8067c-da7e-4818-ae58-39add6bd7e6a'
          1. On the console, perform Ncloud Kubernetes Service OpenID Connect (OIDC) authentication setting.
            • Issuer URL: https://sso.ncloud.com/tenants/f42162be-f574-477f-985b-c624579f2b08
            • Client ID: bf24746a-1957-4d45-8ad6-da86029296b2
          2. Add oidc authentication to the kubeconfig file.
            kubectl config set-credentials oidc \
  --exec-api-version=client.authentication.k8s.io/v1beta1 \
  --exec-command=kubectl \
  --exec-arg=oidc-login \
  --exec-arg=get-token \
  --exec-arg=--oidc-issuer-url=https://sso.ncloud.com/tenants/f42162be-f574-477f-985b-c624579f2b08 \
  --exec-arg=--oidc-client-id=bf24746a-1957-4d45-8ad6-da86029296b2 \
  --exec-arg=--oidc-client-secret=22202039-c06d-4ad0-95d0-fb537378cc20
          3. Use oidc authentication to execute the kubectl command.
            kubectl --user=oidc get nodes
          4. Set the current kubeconfig context to use oidc authentication.
            kubectl config set-context --current --user=oidc
          Was this article helpful?
          What's Next
          Change password!
          Changing your password will log you out immediately. Use the new password to log back in.
          Change profile
          Success!
          First name must have atleast 2 characters. Numbers and special characters are not allowed.
          Last name must have atleast 1 characters. Numbers and special characters are not allowed.
          Enter a valid email
          Enter a valid password
          Your profile has been successfully updated.
          Logout