Set OpenID Connect (OIDC) authentication
- Print
- PDF
Set OpenID Connect (OIDC) authentication
- Print
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
Available in VPC
You can add OpenID Connect (OIDC) provider as an authentication method of the Ncloud Kubernetes Service cluster, and grant permissions by configuring the role and authority of OIDC authentication users.
Note
- This feature is provided in Kubernetes version 1.18 or later.
- To use clusters in earlier versions than 1.18, you must meet the required version using the upgrade feature.
- Only one OIDC provider can be set.
- Ncloud Kubernetes Service must be able to access the OIDC provider openly to search the public signature key.
- You must add NAT Gateway and set routing.
- OIDC providers that use a self-signed certificate are not supported.
- For more information on OIDC authentication, refer to the Official authentication document. For more information on the rule and authority of the authenticated users, refer to the Official document on using RBAC authorization.
Set OIDC authentication
- Mandatory information
- Issuer URL: URL of OIDC provider for API server to search the public signature key. Only URLs that use https:// format are allowed. Generally it is the search URL of OIDC provider without a path (e.g., https://oidc.example.com or https://login.example.com). This URL must indicate a level lower than .well-known/openid-configuration, and be able to access through Internet.
- Client ID: Client ID of OIDC provider
- Additional information
- Username claim: The claim used as the user’s username. Default value is sub. To prevent conflicts with other plugins, for claims except email, Issuer URL is attached as a prefix.
- Groups claim: JWT claim used as groups of the user. If there is a claim, it must be a string array.
- Username prefix: to prevent conflicts with the existing usernames (e.g., system:users), a prefix is attached in front of the Username claim. For example, the value oidc: creates usernames such as oidc:jane.doe. If no Username prefix is assigned and the Username claim is not email, default value of prefix is (Issuer URL)#. Set as - to do not use any prefixes.
- Groups prefix: to prevent conflicts with the existing groups (e.g., system:group), a prefix is attached in front of Groups claim. For example, the value oidc: creates group names such as oidc:developers and oidc:tester.
- Required claim: key=value pair that assigns required claims to ID token. If set, it checks whether there is a matching claim in ID token. Divide using ‘ ,’ to assign multiple claims.
- Go to Kubernetes Service > Cluster > Cluster description > OpenID Connect (OIDC) and click the [Edit] button.
- Change the status to [Set] and enter OIDC authentication information.
- Press the [OK] button to change the cluster status to the [Setting is in progress] and perform OIDC authentication setting.
- Once the OIDC authentication setting is completed, the cluster status is changed to [Running].
Remove OIDC authentication
- Go to Kubernetes Service > Cluster > Cluster description > OpenID Connect (OIDC) and click the [Edit] button.
- Change the status to [Remove] and click the [OK] button. The cluster status is changed to [Setting is in progress] and removal of OIDC authentication setting is performed.
- Once the OIDC authentication is removed, the cluster status is changed to [Running].
Was this article helpful?