OIDC Provider for Kubernetes Clusters
Page last updated:
This topic describes the global default OpenID Connect (OIDC) provider setting that you can use for Kubernetes clusters in VMware Enterprise PKS and how to override it for individual clusters.
Configuring an OIDC provider for PKS-provisioned clusters enables Kubernetes to verify end-user identities based on the authentication performed by UAA or a custom OIDC provider.
You can use the following methods to configure an OIDC provider in Enterprise PKS:
- Configure UAA as the default OIDC provider in the Enterprise PKS tile > UAA. For more information, see UAA as the Default OIDC Provider below.
- Configure a custom OIDC provider by applying a Kubernetes profile to one or more PKS-provisioned clusters. For more information, see Custom OIDC Provider below.
The Enterprise PKS tile > UAA > Configure created clusters to use UAA as the OIDC provider is a global setting for PKS-provisioned clusters, described in the table below:
|Enabled||If you enable UAA as the OIDC provider, Kubernetes verifies end-user
identities based on authentication executed by UAA as follows:
|Disabled||If you do not enable UAA as the OIDC provider, Kubernetes authenticates users against its internal user management system.|
When you enable UAA as your OIDC provider, existing PKS-provisioned clusters are upgraded to use OIDC. This invalidates your kubeconfig files. You must regenerate the files for all existing clusters.
You can configure one or more Kubernetes clusters to use a custom OIDC provider by creating and applying a Kubernetes profile to the clusters. This overrides the global Configure created clusters to use UAA as the OIDC provider setting in the Enterprise PKS tile > UAA.
For instructions, see Add an OIDC Provider.
If you want to give Kubernetes end users, such as developers, access to PKS-provisioned clusters after you configure your OIDC provider, you must create Kubernetes role bindings for them.
For instructions, see Managing Cluster Access and Permissions.
Please send any feedback you have to firstname.lastname@example.org.