We are plannig to implement OpenID authentication to Kubernetes, Im finding a way to add oidc-issue-url to Kubernetes cluster as descibe here Kubernetes OpenID
But im unable to find cluster configuration. How can i add or edit values to Kubernetes Cluster API server using kubectl ?
You should be using kube-apiserver.
The Kubernetes API server validates and configures data for the api objects which include pods, services, replicationcontrollers, and others. The API Server services REST operations and provides the frontend to the cluster’s shared state through which all other components interact.
kube-apiserver [flags]
If using kops, run kops edit cluster and add:
spec:
kubeAPIServer:
oidcIssuerURL: ISSUER_URL
oidcClientID: YOUR_CLIENT_ID
If you are using kube-aws, add following to cluster.yaml:
oidc:
enabled: true
issuerUrl: ISSUER_URL
clientId: YOUR_CLIENT_ID
You can read more about setup of on here, you might also consider using Kubelogin
EDIT:
kube-apiserver is running as a Docker container on your master node. Therefore, the binary is within the container, not on your host system. It is started by the master's kubelet from a file located at /etc/kubernetes/manifests. kubelet is watching this directory and will start any Pod defined here as "static pods".
To configure kube-apiserver command line arguments you need to modify /etc/kubernetes/manifests/kube-apiserver.yaml on your master.
The accepted answer is correct, modifying the manifest file at /etc/kubernetes/manifests/kube-apiserver.yaml and adding the oidc flags as found at https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ will configure oidc for your apiserver.
I'd like to add two additional items that would have been helpful for me when I came across this thread while researching issues I had while configuring oidc:
- "--oidc-groups-prefix=oidc:"
- "--oidc-username-prefix=oidc:"
