Skip to main content
Access to the cluster through an OIDC provider
Last update:

Access to the cluster through an OIDC provider

In Managed Kubernetes, you can configure protocol access to the cluster OpenID Connect (OIDC). OIDC is an authentication protocol that is based on the OAuth 2.0 protocol and additionally provides the ability to transmit user information. The user information is transmitted in the access token ID Token. It is a token in JSON Web Token (JWT) format, which is signed by the server. Read more about using OpenID Connect in Kubernetes in the article Authenticating Kubernetes documentation.

OIDC allows users to authenticate to one service and then access other services without having to re-authenticate, so single sign-on (SSO) for users to multiple services or applications can be provided using OIDC.

OIDC providers are used to authenticate users against OIDC — for example, Keycloak or Dex. With the OIDC provider, you can centrally manage users and their access to all services and applications for which the OIDC provider is connected, including the Managed Kubernetes cluster. If you need to change a user's role or restrict access to all services, for example, in case of an employee's dismissal, you can do it through the OIDC-provider.

Connect the OIDC provider to the cluster

OIDC provider connectivity is available in Managed Kubernetes clusters version 1.28 and higher. You can update the cluster version on the cloud server.

You can connect an OIDC provider to the cluster through the control panel. The connection data can be viewed in your OIDC provider.

  1. В control panels go to Cloud platformKubernetes.
  2. Open the cluster page → tab Settings.
  3. In the field OIDC provider click Connect.
  4. Enter the name of the OIDC provider. The name is only used to identify the provider in the control panel.
  5. In the field Issuer URL enter the URL of the OIDC provider that is accessible via the Internet. This will be used to authenticate users who request access to the cluster.
  6. In the field Client ID enter the service identifier that is required to identify the cluster on the OIDC provider side. For example, kubernetes.
  7. Optional: in the field Username claim enter the name of the JWT token field where the user name will be stored. This name is used to identify the user. The default value is. sub. Depending on the OIDC provider, other options may be used, e.g. email or name.
  8. Optional: in the field Groups claim enter the name of the JWT token field that will store the name of the group to which the user belongs. The default value is groups.

Set up a connection through an OIDC provider

  1. В control panels go to Cloud platformKubernetes.

  2. Open the cluster page → tab Settings.

  3. Click Download kubeconfig. Downloading the kubeconfig file is not available if the cluster status is PENDING_CREATE, PENDING_ROTATE_CERTS, PENDING_DELETE or ERROR.

  4. Add data to the kubeconfig file to connect via OIDC provider:

    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: <certificate_authority_data>
        server: <server_path>
      name: <cluster_name>
    contexts:
    - context:
        cluster: <cluster_name>
        user: oidc
      name: oidc-context
    current-context: oidc-context
    kind: Config
    preferences: {}
    users:
      - name: oidc
        user:
          exec:
            apiVersion: client.authentication.k8s.io/v1beta1
            args:
              - oidc-login
              - get-token
              - --oidc-issuer-url=<issuer_url>
              - --oidc-client-id=<client_id>
              - --oidc-client-secret=<client_secret>
            command: kubectl

    Specify:

    • <ca_certificate> — certificate from a private certificate authority (CA). You can see it in the source kubeconfig file;
    • <server_path> — path to the server where the cluster is located. You can look in the source kubeconfig file;
    • <cluster_name> — cluster name. You can look in the original kubeconfig file;
    • <issuer_url> — The URL of the OIDC provider that is accessible via the Internet. It will be used to authenticate users who request access to the cluster;
    • <client_id> — service identifier, which is required to identify the cluster on the OIDC provider side. For example, kubernetes;
    • <client_secret> — A shared secret key established between the authorization server and the client that is used to sign requests.

  5. Configure user roles in the cluster using the RBAC authorization mechanism. Read more about using RBAC in Kubernetes in the article Using RBAC Authorization Kubernetes official documentation. For example, to configure the developer role, which gives access to view pods and services, add a manifest:

    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: developer
    rules:
      - apiGroups: [""]
        resources: ["pods", "services"]
        verbs: ["get", "watch", "list"]
    ---
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: developer-crb
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: developer
    subjects:
    - kind: Group
      name: "developers"
      apiGroup: rbac.authorization.k8s.io

  6. Send the updated kubeconfig file to users who do not have access to the control panel.

Connect to the cluster via OIDC

We recommend that you perform all actions with nodes, balancers and disks in the cluster only through the kubectl.

After certificate updates for system components you must reconnect to the cluster.

  1. Install the Kubernetes console client kubectl.

  2. Install the plugin kubelogin.

  3. Open the CLI.

  4. Export to an environment variable KUBECONFIG path to the kubeconfig file:

    export KUBECONFIG=<path>

    Specify <path> — path to the kubeconfig file имя_кластера.yaml.

  5. Access the cluster via kubectl. For example, request information about the cluster nodes:

    kubectl get nodes

    The authentication page from the OIDC provider will automatically open in your browser.

  6. Authenticate with the OIDC provider.

    After authentication, the output of the command you entered in step 5 will appear.

Disconnect the OIDC provider

Once an OIDC provider is disconnected, all users who connected to the cluster through that provider will lose access to the cluster.

  1. В control panels go to Cloud platformKubernetes.
  2. Open the cluster page → tab Settings.
  3. In the block Server settings in the field OIDC provider open the OIDC provider block.
  4. Click Disconnect.