OpenID Connect Authentication

Configuring minikube to use OpenID Connect Authentication

The kube-apiserver in minikube can be configured to support OpenID Connect Authentication.

Read more about OpenID Connect Authentication for Kubernetes here: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

Configuring the API Server

Configuration values can be passed to the API server using the --extra-config flag on the minikube start command. See configuring_kubernetes.md for more details.

The following example configures your Minikube cluster to support RBAC and OIDC:

  1. minikube start \
  2. --extra-config=apiserver.authorization-mode=RBAC \
  3. --extra-config=apiserver.oidc-issuer-url=https://example.com \
  4. --extra-config=apiserver.oidc-username-claim=email \
  5. --extra-config=apiserver.oidc-client-id=kubernetes-local

Note that as stated in the Kubernetes documentation, for --extra-config=apiserver.oidc-issuer-url flag, only URLs which use the https:// scheme are accepted. Otherwise kube-apiserver will not start.

Configuring kubectl

You can use the kubectl oidc authenticator to create a kubeconfig as shown in the Kubernetes docs: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#option-1-oidc-authenticator

minikube start already creates a kubeconfig that includes a cluster, in order to use it with your oidc authenticator kubeconfig, you can run:

  1. kubectl config set-context kubernetes-local-oidc --cluster=minikube --user username@example.com
  2. Context "kubernetes-local-oidc" created.
  3. kubectl config use-context kubernetes-local-oidc

For the new context to work you will need to create, at the very minimum, a Role and a RoleBinding in your cluster to grant permissions to the subjects included in your oidc-username-claim.

Last modified July 23, 2020: Update OIDC documentation. (de65edffd)