Configure OKD OpenShift 4 authentication
In this Post I will show you how you can create multiple ingress route on an OpenShift 4 on premise.
Parst of the Openshift 4 series
- Part1a: Install Opeshift 4
- Part1b: Install Opeshift 4 with calico
- Part2: Configure OKD OpenShift 4 ingress
- Part3: Configure OKD OpenShift 4 authentication
- Part4: Configure OKD OpenShift 4 Ceph Persisten Storage
- Part5a: Install Cluster Logging Operator on OpenShift 4
- Part5b: Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)
Create a Cluster Admin User
The current kubeadmin user that we are using in the previous step is temporary. We need to create a permanent cluster administrator user. The fastest way to do this is by using htpasswd as an authentication provider. We will create a secret under the openshift-config namespace and add a htpasswd provider in the cluster oAuth.
htpasswd -c -B -b users.htpasswd adminuser adminpassword
htpasswd -c -B -b users.htpasswd testuser testpassword
oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd -n \
openshift-config
oc apply -f htpasswd_provider.yaml
You can create groups to the cluster:
nano groups.yaml
---
kind: Group
apiVersion: user.openshift.io/v1
metadata:
name: admins
users:
- adminuser
---
kind: Group
apiVersion: user.openshift.io/v1
metadata:
name: cluster-admins
users:
- adminuser
---
apiVersion: user.openshift.io/v1
kind: Group
metadata:
name: developers
users:
- testuser
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: okd-admins
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: admins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: okd-cluster-admin
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: cluster-admins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: okd-cluster-developers
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: developers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: basic-user
oc apply -f group-admins.yaml
Enable Oauth On OKD Cluster
I will use Keycloak as the oauth prowider. In Keycloak okd
realm I created a client called okd4
. The openid-client-secret
is the base64 encodid secret for the okd4
Client ID.
nano oauth-config.yaml
---
kind: Secret
apiVersion: v1
metadata:
name: openid-client-secret
namespace: openshift-config
data:
clientSecret: OWI4OWUyZjgtYrM6ZC10ODU2LTgyN3YtN2ZiODUzNDUyZDc4
type: Opaque
---
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- mappingMethod: add
name: sso.mydomain.intra
openID:
claims:
email:
- email
name:
- name
preferredUsername:
- email
- preferred_username
clientID: okd4
clientSecret:
name: openid-client-secret
extraScopes: []
issuer: 'https://sso.mydomain.intra/auth/realms/okd'
type: OpenID
Then apply the config oc apply -f oauth-config.yaml