0

Below is my kubeconfig file for accessing kubernetes clusters:

kind: ClientConfig
apiVersion: authentication.gke.io/v2alpha1
spec:
  name: dev-corp
  server: https://10.x.x.x:443
  certificateAuthorityData: ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
  authentication:
  - name: oidc
    oidc:
      clientID: aaaaad3-9aa1-33c8-dd0-ddddd6b5bf5
      clientSecret: ccccccccccccccccc-
      issuerURI: https://login.microsoftonline.com/aaaa92-aab7-bbfa-cccf-ddaaaaaaaa/v2.0
      kubectlRedirectURI: http://localhost:12345/callback
      cloudConsoleRedirectURI: http://console.cloud.google.com/kubernetes/oidc
      scopes: offline_access,profile
      userClaim: upn
      userPrefix: '-'
      groupsClaim: groups
  preferredAuthentication: oidc

There are different OAuth grant types.

My understanding is, above OAuth grant type is client credential grant type, that requires client_id, client_secret, token URL(issuerURI), scope

  1. What is the significance of fields kubectlRedirectURI, cloudConsoleRedirectURI, userClaim, userPrefix?

  2. How OIDC different from OAuth2?

  3. oauth2.Config does not store userClaim & userPrefix, groupsClaim information , as shown here.... https://github.com/golang/oauth2/blob/master/oauth2.go#L41

    How to store kind:ClientConfig with oidc based authentication into cache? for example api.Config can be stored with an API from client-go to write api.Config as shown here.

overexchange
  • 15,768
  • 30
  • 152
  • 347

1 Answers1

2

KUBECTL_REDIRECT_URL: the redirect URL that kubectl oidc login uses for authorization. This is typically of the format http://localhost:PORT/callback, where PORT is any port above 1024 that will be available on developer workstations, for example http://localhost:10000/callback. You must register the URL with your OIDC provider as an authorized redirect URL for the client application.

USER_PREFIX: prefix prepended to user claims to prevent conflicts with existing names. By default, an issuer prefix is appended to the userID given to the Kubernetes API server (unless the user claim is email). The resulting user identifier is ISSUER_URI#USER. We recommend using a prefix, but you can disable the prefix by setting USER_PREFIX to -.

userClaim: the user identifier in the token under the claim name configured in spec.authentication.oidc.userClaim in the client configuration file.

cloudConsoleRedirectURI the name tell the story, the cloud redirect URL for OIDC, for example in case of google https://console.cloud.google.com/kubernetes/oidc

OIDC vs OAuth2

What's the difference between OpenID and OAuth?

The file in the question from OIDC and you are comparing the value with Oauth, both handling at different way, better to update the question again with Oauth config file.

api-server-authentication

you can check kubeconfig builder

kubernetes-engine-oidc

How to store kind:ClientConfig with oidc based authentication into cache?

you can write to a file and then read, or somewhere in the cloud storage as well

Adiii
  • 54,482
  • 7
  • 145
  • 148