< img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=3131724&fmt=gif" />
🚀 KubeSphere v4.1.2 with Enhancements and Bug Fixes is available now. Read the release notes for v4.1.2 → close
  • English
    • English
    • 简体中文
    1. 1.Create a KubeSphere Cloud account and log in to the platform.
    2. 2.In the upper-right corner, click Console, and then click Lite Cluster on the left.
    3. 3.Create a K8s cluster with KubeSphere installed.
    4. 4.Access KubeSphere with the default account and password (admin/P@88w0rd).
  •  Star
  1. Docs / 
  2. Documentation / 
  3. Platform Management / 
  4. Platform Settings / 
  5. External Authentication / 
  6. Configure External Authentication

Documentation

Last updated:
    Edit

    Configure External Authentication

    KubeSphere supports setting up external authentication. Platform administrators can configure identity providers through Secrets.

    After configuring external identity providers, users can log in to the KubeSphere web console using usernames and passwords from LDAP, CAS, GitHub, Alibaba Cloud IDaaS, or OpenID Connect.

    Steps

    1. Log in to the KubeSphere web console with a user having the platform-admin role.

    2. Navigate to the project kubesphere-system under the workspace system-workspace.

    3. Click Configuration > ConfigMap in the left navigation pane.

    4. Click Create on the page.

    5. In the Create Secrets dialog, toggle the Edit YAML switch in the top right corner to create a secret using YAML.

    6. Modify the YAML file according to the example and configuration instructions below. Once configured, click Create.

    7. Log out of the KubeSphere web console. On the login page, enter the username and password for LDAP, CAS, GitHub, Alibaba Cloud IDaaS, or OpenID Connect based on the configured external authentication type.

    Note

    In a multi-cluster environment, configuration is only required in the host cluster.

    OpenLDAP YAML Sample

    apiVersion: v1
kind: Secret
metadata:
  namespace: kubesphere-system
  name: identity-provider-ldap
  labels:
    config.kubesphere.io/type: identityprovider
stringData:
  configuration.yaml: |
    name: openldap
    type: LDAPIdentityProvider
    mappingMethod: auto
    provider:
      host: "192.168.0.2:389"
      managerDN: uid=root,cn=users,dc=nas
      managerPassword: "********"
      userSearchBase: cn=users,dc=nas
      loginAttribute: uid
      mailAttribute: mail
type: config.kubesphere.io/identityprovider
    Attention

    • The secret must be created in the kubeshere-system project.

    • The secret must include a type.

      type: config.kubesphere.io/identityprovider.

    • The secret must include a label.

      config.kubesphere.io/type: identityprovider.

    Configuration Explanation

    In the stringData:configuration.yaml parameter of the above example:

    • name: Specifies the name of the external identity provider, which must be unique to avoid creation failures.

    • type: Specifies the type of external identity provider, supporting the following types:

      • LDAP: LDAPIdentityProvider

      • CAS: CASIdentityProvider

      • GitHub: GitHubIdentityProvider

      • Alibaba Cloud IDaaS: AliyunIDaaSProvider

      • OpenID Connect: OIDCIdentityProvider

    • mappingMethod: Specifies how external identity users are associated with KubeSphere users.

      • auto: Automatically creates a KubeSphere user with the same name. Fails if a user with the same name already exists in the platform.

      • manual: Creates a new user with any name after logging in.

      • lookup: Automatically associates an existing KubeSphere user with the same name. Fails if no user with the specified name exists.

    • provider: Contains specific parameters for the external identity authentication. Below are examples of the provider parameters for different authentication types.

      • LDAPIdentityProvider

        host: 192.168.0.2:389
managerDN: uid=root,cn=users,dc=nas
managerPassword: "********"
userSearchBase: cn=users,dc=nas
loginAttribute: uid
mailAttribute: mail

      • CASIdentityProvider

        redirectURL: "https://ks-console:30880/oauth/redirect/cas"
casServerURL: "https://cas.example.org/cas"
insecureSkipVerify: true

      • OIDCIdentityProvider

        clientID: '********'
clientSecret: '********'
issuer: https://accounts.google.com
redirectURL:  'https://ks-console/oauth/redirect/google'

      • GitHubIdentityProvider

        clientID: '******'
clientSecret: '******'
redirectURL: 'https://ks-console/oauth/redirect/github'

      For the configuration method of Alibaba Cloud IDaaS provider, refer to the Alibaba Cloud IDaaS Documentation.

    Receive the latest news, articles and updates from KubeSphere


    Thanks for the feedback. If you have a specific question about how to use KubeSphere, ask it on Slack. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.

    Previous : View Platform Information
    What’s on this Page