Home > Blog > Using OpenID Connect with Mirantis Kubernetes Engine 3.5.0

Using OpenID Connect with Mirantis Kubernetes Engine 3.5.0

Dmitrii Shishliannikov - November 8, 2021 - | | | |

Many organizations use external identity providers like Google or Microsoft to manage authentication across their applications — and many may wish to bring this functionality to their cluster management, too. In the upcoming Mirantis Kubernetes Engine 3.5.0, we’ll introduced support for external OpenID Connect (OIDC) providers to help you do just that.

OIDC enables you to authenticate Mirantis Kubernetes Engine (MKE) users with a trusted third-party login. Using ID tokens issued by your provider, it is now possible to authenticate to the MKE API as well as to Kubernetes clusters managed by MKE.

In this post, we’ll explore how you can get started using OIDC with Mirantis Kubernetes Engine. We’ll walk you through:

  • Configuring an OIDC provider
  • Signing in with an OIDC provider
  • Accessing Kubernetes clusters with ID tokens
  • Disabling an OIDC provider

Configuring an OpenID Connect identity provider

In order to configure external OIDC providers, you will need to use a TOML configuration file. As of MKE 3.5.0, there is a new configuration file section [auth.external_identity_provider] that at a minimum requires two parameters:

wellKnownConfigUrl = "https://example.com/.well-known/openid-configuration"
clientId = "client-id-from-your-provider"

However, we highly recommended that you also add a client secret:

clientSecret = "client-secret-from-your-provider"

Refer to MKE configuration file for complete reference documentation.

Signing in to Mirantis Kubernetes Engine with an OpenID Connect provider

After you have configured a provider a new ‘Sign in with External Provider’ button will appear on the login page:

mirantis kubernetes engine dashboard sign in page  

After pressing this button, a user will be redirected to the provider login page, where they will need to enter credentials and/or consent to permissions. After that, they will be redirected back to MKE Dashboard.

It is also possible to access the MKE API directly with an ID token:

ID_TOKEN=<token_from_provider>
curl --insecure -X GET "https://<MKE_HOST>/id" \
-H "Authorization: Bearer $ID_TOKEN"

For new users, it is important to log in with an ID token at least once (either from the UI or through the API), so that the default role and collection are created and assigned to the user. With the API, you can do this as follows:

ID_TOKEN=<token_from_provider>
curl -X POST 'https://<MKE_HOST>/auth/login' \
--header 'Content-Type: application/json' \
--data-raw '{
"token": "$ID_TOKEN"
}'

Accessing Kubernetes clusters with ID tokens

To access a Kubernetes cluster with kubectl, MKE users typically utilize client bundles. By default, a KUBECONFIG from a client bundle uses public and private key pairs for authorizing requests.

Therefore, Kubernetes users who want client bundles to use OIDC must replace the authorization section therein with the parameters described in the Kubernetes OIDC Authenticator documentation.

Note: While it is sometimes possible to retrieve user info from the UserInfo endpoint with OIDC, MKE only uses ID token claims. Thus, MKE does not use the UserInfo URL to obtain user information.

Disabling OpenID Connect provider

If you wish to remove an OpenID Connect provider for any reason, all you need to do is change your configuration file.

To disable the authentication with an external provider, simply remove the entire [auth.external_identity_provider] section from your TOML config file.

If you’d like to learn more about using external OIDC providers with Mirantis Kubernetes Engine, you can explore the documentation.

FREE EBOOK!
Service Mesh for Mere Mortals
A Guide to Istio and How to Use Service Mesh Platforms
DOWNLOAD
LIVE WEBINAR
Secure & Accelerate Your Container DevOps Lifecycle

Presented with Carbonetes
SAVE SEAT
LIVE WEBINAR
Hyperscale your Data Center with Guaranteed Outcomes

Tuesday, December 14 at 9:00 am EST
SAVE SEAT
LIVE WEBINAR
Cloud Native & Coffee: Is Open Source Only About Free Software?

Thursday, December 16 at 8:00 am PST
SAVE SEAT
Mirantis Webstore
Purchase Kubernetes support
SHOP NOW
Technical training
Learn Kubernetes & OpenStack from Deployment Experts
Prep for certification!
View schedule
FREE EBOOK!
Service Mesh for Mere Mortals
A Guide to Istio and How to Use Service Mesh Platforms
DOWNLOAD
LIVE WEBINAR
Secure & Accelerate Your Container DevOps Lifecycle

Presented with Carbonetes
SAVE SEAT
LIVE WEBINAR
Hyperscale your Data Center with Guaranteed Outcomes

Tuesday, December 14 at 9:00 am EST
SAVE SEAT
LIVE WEBINAR
Cloud Native & Coffee: Is Open Source Only About Free Software?

Thursday, December 16 at 8:00 am PST
SAVE SEAT
Mirantis Webstore
Purchase Kubernetes support
SHOP NOW
Technical training
Learn Kubernetes & OpenStack from Deployment Experts
Prep for certification!
View schedule