8.2. 创建使用外部 OIDC 身份提供程序进行身份验证的 Red Hat OpenShift Service on AWS 集群

流程

• 如果您使用 OIDC_ID、SUBNET_IDS 和 OPERATOR_ROLES_PREFIX 变量准备您的环境，您可以在创建集群时继续使用这些变量。例如，运行以下命令：

  $ rosa create cluster --hosted-cp --subnet-ids=$SUBNET_IDS \
     --oidc-config-id=$OIDC_ID --cluster-name=<cluster_name> \
     --operator-roles-prefix=$OPERATOR_ROLES_PREFIX \
     --external-auth-providers-enabled

  Copy to Clipboard Toggle word wrap

• 如果您没有设置环境变量，请运行以下命令：

  $ rosa create cluster --cluster-name=<cluster_name> --sts --mode=auto \
      --hosted-cp --operator-roles-prefix <operator-role-prefix> \
      --oidc-config-id <ID-of-OIDC-configuration> \
      --external-auth-providers-enabled \
      --subnet-ids=<public-subnet-id>,<private-subnet-id>

  Copy to Clipboard Toggle word wrap

验证

• 运行以下命令验证您的外部身份验证是否在集群详情中启用：

  $ rosa describe cluster --cluster=<cluster_name>

  Copy to Clipboard Toggle word wrap

  Name:                       rosa-ext-test
  Display Name:               rosa-ext-test
  ID:                         <cluster_id>
  External ID:                <cluster_ext_id>
  Control Plane:              ROSA Service Hosted
  OpenShift Version:          4.20.0
  Channel Group:              stable
  DNS:                        <dns>
  AWS Account:                <AWS_id>
  AWS Billing Account:        <AWS_id>
  API URL:                    <ocm_api>
  Console URL:
  Region:                     us-east-1
  Availability:
   - Control Plane:           MultiAZ
   - Data Plane:              SingleAZ
  
  Nodes:
   - Compute (desired):       2
   - Compute (current):       0
  Network:
   - Type:                    OVNKubernetes
   - Service CIDR:            <service_cidr>
   - Machine CIDR:            <machine_cidr>
   - Pod CIDR:                <pod_cidr>
   - Host Prefix:             /23
   - Subnets:                 <subnet_ids>
  EC2 Metadata Http Tokens:   optional
  Role (STS) ARN:             arn:aws:iam::<AWS_id>:role/<account_roles_prefix>-HCP-ROSA-Installer-Role
  Support Role ARN:           arn:aws:iam::<AWS_id>:role/<account_roles_prefix>-HCP-ROSA-Support-Role
  Instance IAM Roles:
   - Worker:                  arn:aws:iam::<AWS_id>:role/<account_roles_prefix>-HCP-ROSA-Worker-Role
  Operator IAM Roles:
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-openshift-cloud-network-config-controller-clo
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-kube-system-capa-controller-manager
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-kube-system-control-plane-operator
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-kube-system-kms-provider
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-kube-system-kube-controller-manager
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-openshift-image-registry-installer-cloud-cred
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-openshift-ingress-operator-cloud-credentials
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-openshift-cluster-csi-drivers-ebs-cloud-crede
  Managed Policies:           Yes
  State:                      ready
  Private:                    No
  Created:                    Mar 29 2024 14:25:52 UTC
  User Workload Monitoring:   Enabled
  Details Page:               https://<url>
  OIDC Endpoint URL:          https://<endpoint> (Managed)
  Audit Log Forwarding:       Disabled
  External Authentication:    Enabled 

  1

  Copy to Clipboard Toggle word wrap

  1

  External Authentication 标志被启用，您现在可以创建外部身份验证供应商。