## Implementing OIDC Authentication To enable OpenID Connect authentication and authorization for your cluster, you need to set a couple of flags in the Kubernetes' API Server. To do this, set the variables below under `spec.topology.variables` in your Cluster resource: ```yaml - name: oidcIssuerUrl value: https://your.oidc-issuer.com - name: oidcClientID value: 123456789098765432@cluster-1 - name: oidcUsernameClaim value: sub - name: oidcGroupsClaim value: username ``` ## Create and bind roles You are now ready to configure Cluster Roles. Below is a sample role providing read-write access to pods and services: ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: my-role rules: - apiGroups: [""] resources: ["pods", "services"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] ``` And bind this role to a group in your OIDC provider: ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-admins-binding subjects: - kind: Group name: my-group roleRef: kind: ClusterRole name: my-role apiGroup: rbac.authorization.k8s.io ``` ## Accessing the cluster Now, every time you access your cluster, you have to pass the auth provider tokens and other information. To simplify this, you can use `kubelogin`. You can use one of the following commands to install `kubelogin` {% tabs #package-managers %} {% tab title="Krew" %} ```shell /// macOS, Linux, Windows, and ARM kubectl krew install oidc-login ``` {% /tab %} {% tab title="Chocolatey" %} ```shell /// Windows choco install kubelogin ``` {% /tab %} {% /tabs %} Alternatively, you can install it from a Github release. Then you need to make sure that it is in your path as `kubectl-oidc_login`. Now you need to change your `kubeconfig` file to authenticate using it `kubelogin`. Add the snippet below to it: ```yaml users: - name: oidc user: exec: apiVersion: client.authentication.k8s.io/v1beta1 args: - oidc-login - get-token - --oidc-issuer-url=https://your.oidc-issuer.com - --oidc-client-id=123456789098765432@cluster-1 command: kubectl ``` The next time you run `kubectl` you'll be prompted to authenticate with your OIDC provider.