OpenID Connect Authentication
The kube-apiserver
in minikube can be configured to support OpenID Connect Authentication.
Read more about OpenID Connect Authentication for Kubernetes here: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
Configuring the API Server
Configuration values can be passed to the API server using the --extra-config
flag on the minikube start
command. See configuring_kubernetes.md for more details.
The following example configures your Minikube cluster to support RBAC and OIDC:
minikube start \
--extra-config=apiserver.authorization-mode=RBAC \
--extra-config=apiserver.oidc-issuer-url=https://example.com \
--extra-config=apiserver.oidc-username-claim=email \
--extra-config=apiserver.oidc-client-id=kubernetes-local
Note that as stated in the Kubernetes documentation, for --extra-config=apiserver.oidc-issuer-url
flag, only URLs which use the https://
scheme are accepted. Otherwise kube-apiserver
will not start.
Configuring kubectl
You can use the kubectl oidc
authenticator to create a kubeconfig as shown in the Kubernetes docs: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#option-1-oidc-authenticator
minikube start
already creates a kubeconfig that includes a cluster
, in order to use it with your oidc
authenticator kubeconfig, you can run:
kubectl config set-context kubernetes-local-oidc --cluster=minikube --user username@example.com
Context "kubernetes-local-oidc" created.
kubectl config use-context kubernetes-local-oidc
For the new context to work you will need to create, at the very minimum, a Role
and a RoleBinding
in your cluster to grant permissions to the subjects
included in your oidc-username-claim
.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.