Configure OKD OpenShift 4 authentication

December 13, 2021

In this Post I will show you how you can create multiple ingress route on an OpenShift 4 on premise.

Parst of the Openshift 4 series

Part1: Install Opeshift 4
Part2: Configure OKD OpenShift 4 ingress
Part3: Configure OKD OpenShift 4 authentication
Part4: Configure OKD OpenShift 4 Ceph Persisten Storage
Part5a: Install Cluster Logging Operator on OpenShift 4
Part5b: Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)

Create a Cluster Admin User

The current kubeadmin user that we are using in the previous step is temporary. We need to create a permanent cluster administrator user. The fastest way to do this is by using htpasswd as an authentication provider. We will create a secret under the openshift-config namespace and add a htpasswd provider in the cluster oAuth.

htpasswd -c -B -b users.htpasswd adminuser adminpassword
htpasswd -c -B -b users.htpasswd testuser testpassword
oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd -n \
openshift-config
oc apply -f htpasswd_provider.yaml

You can create groups to the cluster:

nano groups.yaml
---
kind: Group
apiVersion: user.openshift.io/v1
metadata:
  name: admins
users:
  - adminuser
---
kind: Group
apiVersion: user.openshift.io/v1
metadata:
  name: cluster-admins
users:
  - adminuser
---
apiVersion: user.openshift.io/v1
kind: Group
metadata:
  name: developers
users:
  - testuser
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: okd-admins
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: admins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: okd-cluster-admin
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: cluster-admins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: okd-cluster-developers
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: developers
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: basic-user

oc apply -f group-admins.yaml

Enable Oauth On OKD Cluster

I will use Keycloak as the oauth prowider. In Keycloak okd realm I created a client called okd4. The openid-client-secret is the base64 encodid secret for the okd4 Client ID.

nano oauth-config.yaml
---
kind: Secret
apiVersion: v1
metadata:
  name: openid-client-secret
  namespace: openshift-config
data:
  clientSecret: OWI4OWUyZjgtYrM6ZC10ODU2LTgyN3YtN2ZiODUzNDUyZDc4
type: Opaque
---
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
    - mappingMethod: add
      name: sso.mydomain.intra
      openID:
        claims:
          email:
            - email
          name:
            - name
          preferredUsername:
            - email
            - preferred_username
        clientID: okd4
        clientSecret:
          name: openid-client-secret
        extraScopes: []
        issuer: 'https://sso.mydomain.intra/auth/realms/okd'
      type: OpenID

Then apply the config oc apply -f oauth-config.yaml