< img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=3131724&fmt=gif" />
🚀 KubeSphere v4.1.2 with Enhancements and Bug Fixes is available now. Read the release notes for v4.1.2 → close
  • English
    • English
    • 简体中文
    1. 1.Create a KubeSphere Cloud account and log in to the platform.
    2. 2.In the upper-right corner, click Console, and then click Lite Cluster on the left.
    3. 3.Create a K8s cluster with KubeSphere installed.
    4. 4.Access KubeSphere with the default account and password (admin/P@88w0rd).
  •  Star
  1. Docs / 
  2. Documentation / 
  3. Platform Management / 
  4. Platform Settings / 
  5. External Authentication / 
  6. Configure External Authentication

Documentation

Last updated: 2024-12-09 09:40:10
  • avatar
Edit

Configure External Authentication

KubeSphere supports setting up external authentication. Platform administrators can configure identity providers through Secrets.

After configuring external identity providers, users can log in to the KubeSphere web console using usernames and passwords from LDAP, CAS, GitHub, Alibaba Cloud IDaaS, or OpenID Connect.

Steps

  1. Log in to the KubeSphere web console with a user having the platform-admin role.

  2. Navigate to the project kubesphere-system under the workspace system-workspace.

  3. Click Configuration > ConfigMap in the left navigation pane.

  4. Click Create on the page.

  5. In the Create Secrets dialog, toggle the Edit YAML switch in the top right corner to create a secret using YAML.

  6. Modify the YAML file according to the example and configuration instructions below. Once configured, click Create.

  7. Log out of the KubeSphere web console. On the login page, enter the username and password for LDAP, CAS, GitHub, Alibaba Cloud IDaaS, or OpenID Connect based on the configured external authentication type.

Note

In a multi-cluster environment, configuration is only required in the host cluster.

OpenLDAP YAML Sample

apiVersion: v1
kind: Secret
metadata:
  namespace: kubesphere-system
  name: identity-provider-ldap
  labels:
    config.kubesphere.io/type: identityprovider
stringData:
  configuration.yaml: |
    name: openldap
    type: LDAPIdentityProvider
    mappingMethod: auto
    provider:
      host: "192.168.0.2:389"
      managerDN: uid=root,cn=users,dc=nas
      managerPassword: "********"
      userSearchBase: cn=users,dc=nas
      loginAttribute: uid
      mailAttribute: mail
type: config.kubesphere.io/identityprovider
Attention

  • The secret must be created in the kubeshere-system project.

  • The secret must include a type.

    type: config.kubesphere.io/identityprovider.

  • The secret must include a label.

    config.kubesphere.io/type: identityprovider.

Configuration Explanation

In the stringData:configuration.yaml parameter of the above example:

  • name: Specifies the name of the external identity provider, which must be unique to avoid creation failures.

  • type: Specifies the type of external identity provider, supporting the following types:

    • LDAP: LDAPIdentityProvider

    • CAS: CASIdentityProvider

    • GitHub: GitHubIdentityProvider

    • Alibaba Cloud IDaaS: AliyunIDaaSProvider

    • OpenID Connect: OIDCIdentityProvider

  • mappingMethod: Specifies how external identity users are associated with KubeSphere users.

    • auto: Automatically creates a KubeSphere user with the same name. Fails if a user with the same name already exists in the platform.

    • manual: Creates a new user with any name after logging in.

    • lookup: Automatically associates an existing KubeSphere user with the same name. Fails if no user with the specified name exists.

  • provider: Contains specific parameters for the external identity authentication. Below are examples of the provider parameters for different authentication types.

    • LDAPIdentityProvider

      host: 192.168.0.2:389
managerDN: uid=root,cn=users,dc=nas
managerPassword: "********"
userSearchBase: cn=users,dc=nas
loginAttribute: uid
mailAttribute: mail

    • CASIdentityProvider

      redirectURL: "https://ks-console:30880/oauth/redirect/cas"
casServerURL: "https://cas.example.org/cas"
insecureSkipVerify: true

    • OIDCIdentityProvider

      clientID: '********'
clientSecret: '********'
issuer: https://accounts.google.com
redirectURL:  'https://ks-console/oauth/redirect/google'

    • GitHubIdentityProvider

      clientID: '******'
clientSecret: '******'
redirectURL: 'https://ks-console/oauth/redirect/github'

    For the configuration method of Alibaba Cloud IDaaS provider, refer to the Alibaba Cloud IDaaS Documentation.

Receive the latest news, articles and updates from KubeSphere


Previous : View Platform Information
What’s on this Page