Configure External Authentication
KubeSphere supports setting up external authentication. Platform administrators can configure identity providers through Secrets.
After configuring external identity providers, users can log in to the KubeSphere web console using usernames and passwords from LDAP, CAS, GitHub, Alibaba Cloud IDaaS, or OpenID Connect.
Steps
Log in to the KubeSphere web console with a user having the platform-admin role.
Navigate to the project kubesphere-system under the workspace system-workspace.
Click Configuration > ConfigMap in the left navigation pane.
Click Create on the page.
In the Create Secrets dialog, toggle the Edit YAML switch in the top right corner to create a secret using YAML.
Modify the YAML file according to the example and configuration instructions below. Once configured, click Create.
Log out of the KubeSphere web console. On the login page, enter the username and password for LDAP, CAS, GitHub, Alibaba Cloud IDaaS, or OpenID Connect based on the configured external authentication type.
Note |
---|
In a multi-cluster environment, configuration is only required in the host cluster. |
OpenLDAP YAML Sample
apiVersion: v1
kind: Secret
metadata:
namespace: kubesphere-system
name: identity-provider-ldap
labels:
config.kubesphere.io/type: identityprovider
stringData:
configuration.yaml: |
name: openldap
type: LDAPIdentityProvider
mappingMethod: auto
provider:
host: "192.168.0.2:389"
managerDN: uid=root,cn=users,dc=nas
managerPassword: "********"
userSearchBase: cn=users,dc=nas
loginAttribute: uid
mailAttribute: mail
type: config.kubesphere.io/identityprovider
Attention |
---|
|
Configuration Explanation
In the stringData:configuration.yaml
parameter of the above example:
name: Specifies the name of the external identity provider, which must be unique to avoid creation failures.
type: Specifies the type of external identity provider, supporting the following types:
LDAP:
LDAPIdentityProvider
CAS:
CASIdentityProvider
GitHub:
GitHubIdentityProvider
Alibaba Cloud IDaaS:
AliyunIDaaSProvider
OpenID Connect:
OIDCIdentityProvider
mappingMethod: Specifies how external identity users are associated with KubeSphere users.
auto
: Automatically creates a KubeSphere user with the same name. Fails if a user with the same name already exists in the platform.manual
: Creates a new user with any name after logging in.lookup
: Automatically associates an existing KubeSphere user with the same name. Fails if no user with the specified name exists.
provider: Contains specific parameters for the external identity authentication. Below are examples of the provider parameters for different authentication types.
LDAPIdentityProvider
host: 192.168.0.2:389 managerDN: uid=root,cn=users,dc=nas managerPassword: "********" userSearchBase: cn=users,dc=nas loginAttribute: uid mailAttribute: mail
CASIdentityProvider
redirectURL: "https://ks-console:30880/oauth/redirect/cas" casServerURL: "https://cas.example.org/cas" insecureSkipVerify: true
OIDCIdentityProvider
clientID: '********' clientSecret: '********' issuer: https://accounts.google.com redirectURL: 'https://ks-console/oauth/redirect/google'
GitHubIdentityProvider
clientID: '******' clientSecret: '******' redirectURL: 'https://ks-console/oauth/redirect/github'
For the configuration method of Alibaba Cloud IDaaS provider, refer to the Alibaba Cloud IDaaS Documentation.
Feedback
Was this page Helpful?
Receive the latest news, articles and updates from KubeSphere
Thanks for the feedback. If you have a specific question about how to use KubeSphere, ask it on Slack. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.