4 changed files with 131 additions and 1 deletions
@ -0,0 +1,123 @@ |
|||
--- |
|||
title: "Secure your OpenShift 4 cluster with OpenID Connect authentication" |
|||
date: 2020-04-17T00:00:00+02:00 |
|||
opensource: |
|||
- OpenShift |
|||
topics: |
|||
- OpenID Connect |
|||
--- |
|||
|
|||
OpenShift, starting with the version 4, is installed with a temporary administrator account, [kubeadmin](https://docs.openshift.com/container-platform/4.3/authentication/remove-kubeadmin.html). |
|||
When searching for a definitive solution, it might be tempting to go for the very classical "login and password" prompt, backed by an [htpasswd file](https://docs.openshift.com/container-platform/4.3/authentication/identity_providers/configuring-htpasswd-identity-provider.html). |
|||
But this is yet another password to remember! |
|||
|
|||
OpenShift can handle the [OpenID Connect](https://openid.net/connect/) protocol and thus offers Single Sign On to its users. |
|||
No additional password to remember: you can login to the OpenShift console with your [Google Account](../use-google-account-openid-connect-provider) for instance. |
|||
|
|||
## Pre-requisites |
|||
|
|||
The rest of this article assumes you have already setup your OpenID Connect client in the Google Developer Console as explained in this article: [Use your Google Account as an OpenID Connect provider](../use-google-account-openid-connect-provider). |
|||
|
|||
Then, create a secret in the **openshift-config** namespace containing the client secret generated by the Google Developer Console. |
|||
|
|||
```sh |
|||
oc create secret generic google-client-secret --from-literal=clientSecret="<YOUR CLIENT_SECRET>" -n openshift-config |
|||
``` |
|||
|
|||
The rest of the procedure differs, depending if you are the member of a Google Suite or a regular GMail user. |
|||
|
|||
## Configure Google Authentication in OpenShift 4 for Google Suite users |
|||
|
|||
Create an **OAuth** object in the **openshift-config** namespace. |
|||
Do not forget to add the Client ID generated by the Google Developer Console in the **clientID** field. |
|||
You will also have to set the custom domain of your Google Suite in the **hostedDomain** field. |
|||
|
|||
```sh |
|||
oc apply -f - <<EOF |
|||
apiVersion: config.openshift.io/v1 |
|||
kind: OAuth |
|||
metadata: |
|||
name: cluster |
|||
namespace: openshift-config |
|||
spec: |
|||
identityProviders: |
|||
- name: Google |
|||
mappingMethod: claim |
|||
type: Google |
|||
google: |
|||
clientID: "<YOUR CLIENT_ID>.apps.googleusercontent.com" |
|||
clientSecret: |
|||
name: google-client-secret |
|||
hostedDomain: "example.com" |
|||
EOF |
|||
``` |
|||
|
|||
If you have a Google Suite, there is nothing more to configure. |
|||
You can login to the OpenShift Console with your Google account! |
|||
|
|||
You can even work collaboratively since every user of your Google Suite can login and use your OpenShift cluster! |
|||
If you do not want to share your OpenShift cluster, you can disable the [self-provisioner role](https://docs.openshift.com/container-platform/4.3/applications/projects/configuring-project-creation.html#disabling-project-self-provisioning_configuring-project-creation). |
|||
|
|||
## Configure Google Authentication in OpenShift 4 for regular GMail users |
|||
|
|||
If you have only a regular Gmail account, the procedure is a bit different and slightly longer. |
|||
|
|||
You will need to set the **mappingMethod** field to **lookup** and leave the **hostedDomain** field empty. |
|||
|
|||
```sh |
|||
oc apply -f - <<EOF |
|||
apiVersion: config.openshift.io/v1 |
|||
kind: OAuth |
|||
metadata: |
|||
name: cluster |
|||
spec: |
|||
identityProviders: |
|||
- name: Google |
|||
mappingMethod: lookup |
|||
type: Google |
|||
google: |
|||
clientID: "<YOUR CLIENT_ID>.apps.googleusercontent.com" |
|||
clientSecret: |
|||
name: google-client-secret |
|||
hostedDomain: "" |
|||
EOF |
|||
``` |
|||
|
|||
If you try to login on the OpenShift console with your GMail account, it will fail with the following message: "Could not find user". |
|||
**This is expected since we have not yet create the matching user in OpenShift.** |
|||
|
|||
Create a user. |
|||
|
|||
```sh |
|||
oc create user nicolas --full-name="Nicolas MASSE" |
|||
``` |
|||
|
|||
Then, retrieve your Google internal User ID from the OpenShift OAuth logs. |
|||
|
|||
```sh |
|||
for pod in $(oc get pods -l app=oauth-openshift -o name -n openshift-authentication); do |
|||
oc logs --tail=10 $pod -n openshift-authentication | grep useridentitymapping.user.openshift.io |
|||
done |
|||
``` |
|||
|
|||
You should get at least one line looking as such: |
|||
|
|||
``` |
|||
E0417 14:18:55.872542 1 errorpage.go:26] AuthenticationError: lookup of user for "Google:114331641802984310666" failed: useridentitymapping.user.openshift.io "Google:114331641802984310666" not found |
|||
``` |
|||
|
|||
The string behind "Google:" is your Google internal User ID. |
|||
|
|||
Create an OpenShift identity object from such internal user ID. |
|||
|
|||
```sh |
|||
oc create identity Google:114331641802984310666 |
|||
``` |
|||
|
|||
Finally, create an identity mapping between this identity and the user you created earlier. |
|||
|
|||
```sh |
|||
oc create useridentitymapping Google:114331641802984310666 nicolas |
|||
``` |
|||
|
|||
And now you can login on your OpenShift 4 cluster with your GMail account! |
|||
Loading…
Reference in new issue