< img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=3131724&fmt=gif" />
🚀 KubeSphere v4.1.3 with Enhancements and Bug Fixes is available now. Read the release notes → close
  • English
    • English
    • 简体中文
    1. 1.Create a KubeSphere Cloud account and log in to the platform.
    2. 2.In the upper-right corner, click Console, and then click Lite Cluster on the left.
    3. 3.Create a K8s cluster with KubeSphere installed.
    4. 4.Access KubeSphere with the default account and password (admin/P@88w0rd).
  •  Star
  1. Docs / 
  2. Documentation / 
  3. Platform Management / 
  4. Platform Settings / 
  5. Configure KubeSphere as an OIDC Identity Provider

Documentation

Last updated:
    Edit

    Configure KubeSphere as an OIDC Identity Provider

    OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 framework (IETF RFC 6749 and 6750). KubeSphere v4.1.3 implements the Authorization Code Flow of OpenID Connect protocol for extensions to integrate with KubeSphere’s account system. This tutorial uses Harbor as an OIDC client - after configuration, you can use KubeSphere accounts to log in to Harbor.

    SSO Implementation Flow via OIDC

    oidc flow

    1. End user navigates to a website or web application via a browser.

    2. End user clicks sign-in and types their username and password.

    3. The RP (Client) sends a request to the OpenID Provider (OP).

    4. The OP authenticates the User and obtains authorization.

    5. The OP responds with an Identity Token and usually an Access Token.

    6. The RP can send a request with the Access Token to the User device.

    7. The UserInfo Endpoint returns Claims about the End-User.

    Deploy KubeSphere 4.1.3

    helm upgrade --install -n kubesphere-system --create-namespace ks-core https://charts.kubesphere.io/main/ks-core-1.1.4.tgz --debug --wait \
  --set portal.hostname=172.31.17.16.nip.io \
  --set portal.https.port=30491 \
  --set ingress.enabled=true \
  --set ingress.tls.enabled=true \
  --set ingress.ingressClassName=kubesphere-router-cluster
    Note

    Before applying configurations, ks-console must be exposed via HTTPS. This tutorial uses Ingress to expose ks-console. The cluster gateway is created using the KubeSphere Gateway extension, with corresponding IngressClass as kubesphere-router-cluster. The exposed HTTPS port is 30491, so portal.https.port is set to 30491.

    ParameterDescription

    portal.hostname

    Domain or IP for accessing KubeSphere Console (replace with actual node IP)

    portal.https.port portal.http.port

    Ports for accessing KubeSphere Console

    ingress.enabled ingress.tls.enabled

    Ingress and TLS configurations

    ingress.ingressClassName

    IngressClass for the Ingress (must reference a pre-existing IngressClass)

    Create OAuth Client

    cat << EOF | kubectl apply -f -
apiVersion: v1
stringData:
  configuration.yaml: |
    name: harbor
    secret: password123
    grantMethod: auto
    scopeRestrictions:
      - 'openid'
      - 'email'
      - 'profile'
    redirectURIs:
      - https://harbor.172.31.19.17.nip.io/c/oidc/callback
kind: Secret
metadata:
  name: oauthclient-harbor
  namespace: kubesphere-system
  labels:
    config.kubesphere.io/type: oauthclient
type: config.kubesphere.io/oauthclient
EOF
    ParameterDescription

    metadata.name stringData.configuration.yaml.name

    OAuth Client ID

    stringData.configuration.yaml.secret

    OAuth Client Secret

    stringData.configuration.yaml.redirectURIs

    List of callback URLs supported by OAuth Client

    OIDC Configuration Reference

    Harbor OIDC Configuration configure harbor

    Log in to Harbor via OIDC harbor login

    Log in to KubeSphere Console ks login

    Associate Harbor account at the first-time login first login

    Receive the latest news, articles and updates from KubeSphere


    Thanks for the feedback. If you have a specific question about how to use KubeSphere, ask it on Slack. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.

    Previous : Configure External Authentication
    What’s on this Page