8.3. Disabling direct authentication
If necessary, you can disable direct authentication for your cluster and revert back to authenticating with the built-in OpenShift OAuth server.
Prerequisites
-
You have access to the
kubeconfigfile generated by the installation program for the cluster.
Procedure
-
Ensure that you are using the
kubeconfigfile generated by the installation program, or another long-lived method of logging in as a cluster administrator. Update the authentication configuration to use the built-in OpenShift OAuth server by running the following command:
$ oc patch authentication.config/cluster --type=merge -p=' spec: type: ""1 oidcProviders: null2 'Wait for the cluster to roll out new revisions to all nodes.
Check the Kubernetes API server Operator status by running the following command:
$ oc get co kube-apiserverExample output
NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE kube-apiserver 4.21.0 True True False 85m NodeInstallerProgressing: 2 node are at revision 12; 1 node is at revision 14The message in the preceding example shows that one node has progressed to the new revision and two nodes have not yet updated. It can take 20 minutes or more to roll out the new revision to all nodes, depending on the size of your cluster.
-
To troubleshoot any issues, you can also check the Cluster Authentication Operator and
kube-apiserverpod logs for errors.
- If necessary, restore any existing authentication configuration.
Verification
-
Verify that you can successfully log in to the OpenShift Container Platform web console and OpenShift CLI (
oc).