Configure External Authentication

KubeSphere supports setting up external authentication. Platform administrators can configure identity providers through Secrets.

After configuring external identity providers, users can log in to the KubeSphere web console using usernames and passwords from LDAP, CAS, GitHub, Alibaba Cloud IDaaS, or OpenID Connect.

Steps

  1. Log in to the KubeSphere web console with a user having the platform-admin role.

  2. Navigate to the project kubesphere-system under the workspace system-workspace.

  3. Click Configuration > ConfigMap in the left navigation pane.

  4. Click Create on the page.

  5. In the Create Secrets dialog, toggle the Edit YAML switch in the top right corner to create a secret using YAML.

  6. Modify the YAML file according to the example and configuration instructions below. Once configured, click Create.

  7. Log out of the KubeSphere web console. On the login page, enter the username and password for LDAP, CAS, GitHub, Alibaba Cloud IDaaS, or OpenID Connect based on the configured external authentication type.

Note

In a multi-cluster environment, configuration is only required in the host cluster.

OpenLDAP YAML Sample

  1. apiVersion: v1
  2. kind: Secret
  3. metadata:
  4.   namespace: kubesphere-system
  5.   name: identity-provider-ldap
  6.   labels:
  7.     config.kubesphere.io/type: identityprovider
  8. stringData:
  9.   configuration.yaml: |
  10.     name: openldap
  11.     type: LDAPIdentityProvider
  12.     mappingMethod: auto
  13.     provider:
  14.       host: "192.168.0.2:389"
  15.       managerDN: uid=root,cn=users,dc=nas
  16.       managerPassword: "********"
  17.       userSearchBase: cn=users,dc=nas
  18.       loginAttribute: uid
  19.       mailAttribute: mail
  20. type: config.kubesphere.io/identityprovider
Attention

  • The secret must be created in the kubeshere-system project.

  • The secret must include a type.

    type: config.kubesphere.io/identityprovider.

  • The secret must include a label.

    config.kubesphere.io/type: identityprovider.

Configuration Explanation

In the stringData:configuration.yaml parameter of the above example:

  • name: Specifies the name of the external identity provider, which must be unique to avoid creation failures.

  • type: Specifies the type of external identity provider, supporting the following types:

    • LDAP: LDAPIdentityProvider

    • CAS: CASIdentityProvider

    • GitHub: GitHubIdentityProvider

    • Alibaba Cloud IDaaS: AliyunIDaaSProvider

    • OpenID Connect: OIDCIdentityProvider

  • mappingMethod: Specifies how external identity users are associated with KubeSphere users.

    • auto: Automatically creates a KubeSphere user with the same name. Fails if a user with the same name already exists in the platform.

    • manual: Creates a new user with any name after logging in.

    • lookup: Automatically associates an existing KubeSphere user with the same name. Fails if no user with the specified name exists.

  • provider: Contains specific parameters for the external identity authentication. Below are examples of the provider parameters for different authentication types.

    • LDAPIdentityProvider

      1. host: 192.168.0.2:389
      2. managerDN: uid=root,cn=users,dc=nas
      3. managerPassword: "********"
      4. userSearchBase: cn=users,dc=nas
      5. loginAttribute: uid
      6. mailAttribute: mail

    • CASIdentityProvider

      1. redirectURL: "https://ks-console:30880/oauth/redirect/cas"
      2. casServerURL: "https://cas.example.org/cas"
      3. insecureSkipVerify: true

    • OIDCIdentityProvider

      1. clientID: '********'
      2. clientSecret: '********'
      3. issuer: https://accounts.google.com
      4. redirectURL:  'https://ks-console/oauth/redirect/google'

    • GitHubIdentityProvider

      1. clientID: '******'
      2. clientSecret: '******'
      3. redirectURL: 'https://ks-console/oauth/redirect/github'

    For the configuration method of Alibaba Cloud IDaaS provider, refer to the Alibaba Cloud IDaaS Documentation.