Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 3. Authentication and authorization for hosted control planes

The OpenShift Container Platform control plane includes a built-in OAuth server. You can obtain OAuth access tokens to authenticate to the OpenShift Container Platform API. After you create your hosted cluster, you can configure OAuth by specifying an identity provider.

3.1. Configuring the OAuth server for a hosted cluster by using the CLI
Copia collegamento

You can configure the internal OAuth server for your hosted cluster by using an OpenID Connect identity provider (oidc).

You can configure OAuth for the following supported identity providers:

  • oidc
  • htpasswd
  • keystone
  • ldap
  • basic-authentication
  • request-header
  • github
  • gitlab
  • google

Adding any identity provider in the OAuth configuration removes the default kubeadmin user provider.

Note

When you configure identity providers, you must configure at least one NodePool replica in your hosted cluster in advance. Traffic for DNS resolution is sent through the worker nodes. You do not need to configure the NodePool replicas in advance for the htpasswd and request-header identity providers.

Prerequisites

  • You created your hosted cluster.

Procedure

  1. Edit the HostedCluster custom resource (CR) on the hosting cluster by running the following command: 

    $ oc edit hostedcluster <hosted_cluster_name> -n <hosted_cluster_namespace>
    Copy to Clipboard Toggle word wrap

  2. Add the OAuth configuration in the HostedCluster CR by using the following example: 

    apiVersion: hypershift.openshift.io/v1alpha1
kind: HostedCluster
metadata:
  name: <hosted_cluster_name>
    1 
    
  namespace: <hosted_cluster_namespace>
    2 
    
spec:
  configuration:
    oauth:
      identityProviders:
      - openID:
    3 
    
          claims:
            email:
    4 
    
              - <email_address>
            name:
    5 
    
              - <display_name>
            preferredUsername:
    6 
    
              - <preferred_username>
          clientID: <client_id>
    7 
    
          clientSecret:
            name: <client_id_secret_name>
    8 
    
          issuer: https://example.com/identity
    9 
    
        mappingMethod: lookup
    10 
    
        name: IAM
        type: OpenID
    Copy to Clipboard Toggle word wrap
    1
    Specifies your hosted cluster name.
    2
    Specifies your hosted cluster namespace.
    3
    This provider name is prefixed to the value of the identity claim to form an identity name. The provider name is also used to build the redirect URL.
    4
    Defines a list of attributes to use as the email address.
    5
    Defines a list of attributes to use as a display name.
    6
    Defines a list of attributes to use as a preferred user name.
    7
    Defines the ID of a client registered with the OpenID provider. You must allow the client to redirect to the https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name> URL.
    8
    Defines a secret of a client registered with the OpenID provider.
    9
    The Issuer Identifier described in the OpenID spec. You must use https without query or fragment component.
    10
    Defines a mapping method that controls how mappings are established between identities of this provider and User objects.
  3. Save the file to apply the changes.

You can configure the internal OAuth server for your hosted cluster by using the OpenShift Container Platform web console.

You can configure OAuth for the following supported identity providers:

  • oidc
  • htpasswd
  • keystone
  • ldap
  • basic-authentication
  • request-header
  • github
  • gitlab
  • google

Adding any identity provider in the OAuth configuration removes the default kubeadmin user provider.

Note

When you configure identity providers, you must configure at least one NodePool replica in your hosted cluster in advance. Traffic for DNS resolution is sent through the worker nodes. You do not need to configure the NodePool replicas in advance for the htpasswd and request-header identity providers.

Prerequisites

  • You logged in as a user with cluster-admin privileges.
  • You created your hosted cluster.

Procedure

  1. Navigate to Home API Explorer.
  2. Use the Filter by kind box to search for your HostedCluster resource.
  3. Click the HostedCluster resource that you want to edit.
  4. Click the Instances tab.
  5. Click the Options menu kebab next to your hosted cluster name entry and click Edit HostedCluster.

  6. Add the OAuth configuration in the YAML file: 

    spec:
  configuration:
    oauth:
      identityProviders:
      - openID:
    1 
    
          claims:
            email:
    2 
    
              - <email_address>
            name:
    3 
    
              - <display_name>
            preferredUsername:
    4 
    
              - <preferred_username>
          clientID: <client_id>
    5 
    
          clientSecret:
            name: <client_id_secret_name>
    6 
    
          issuer: https://example.com/identity
    7 
    
        mappingMethod: lookup
    8 
    
        name: IAM
        type: OpenID
    Copy to Clipboard Toggle word wrap
    1
    This provider name is prefixed to the value of the identity claim to form an identity name. The provider name is also used to build the redirect URL.
    2
    Defines a list of attributes to use as the email address.
    3
    Defines a list of attributes to use as a display name.
    4
    Defines a list of attributes to use as a preferred user name.
    5
    Defines the ID of a client registered with the OpenID provider. You must allow the client to redirect to the https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name> URL.
    6
    Defines a secret of a client registered with the OpenID provider.
    7
    The Issuer Identifier described in the OpenID spec. You must use https without query or fragment component.
    8
    Defines a mapping method that controls how mappings are established between identities of this provider and User objects.
  7. Click Save.
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat