OIDC Provider for Kubernetes Clusters

This topic describes how to configure the global default OpenID Connect (OIDC) provider settings for your VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) provisioned Kubernetes clusters and how to override the default configuration for individual clusters.

Overview

Configuring an OIDC provider for TKGI-provisioned clusters enables Kubernetes to verify end-user identities based on the authentication performed by UAA or a custom OIDC provider.

You can use the following methods to configure an OIDC provider in Tanzu Kubernetes Grid Integrated Edition:

Configure UAA as the default OIDC provider in the Tanzu Kubernetes Grid Integrated Edition tile > UAA. For more information, see UAA as the Default OIDC Provider below.
Configure a custom OIDC provider by applying a Kubernetes profile to one or more TKGI-provisioned clusters. For more information, see Custom OIDC Provider below.

UAA as the Default OIDC Provider

The Tanzu Kubernetes Grid Integrated Edition tile > UAA > Configure created clusters to use UAA as the OIDC provider is a global setting for TKGI-provisioned clusters, described in the table below:

Option	Description
Activated	If you enable UAA as the OIDC provider, Kubernetes verifies end-user identities based on authentication executed by UAA as follows: If you select Internal UAA, Kubernetes authenticates users against the internal UAA authentication mechanism. If you select LDAP Server, Kubernetes authenticates users against the LDAP server. If you select SAML Identity Provider, Kubernetes authenticates users against the SAML identity provider.
Deactivated	If you do not activate UAA as the OIDC provider, Kubernetes authenticates users against its internal user management system.

Option

Description

Activated

If you enable UAA as the OIDC provider, Kubernetes verifies end-user identities based on authentication executed by UAA as follows:

If you select Internal UAA, Kubernetes authenticates users against the internal UAA authentication mechanism.
If you select LDAP Server, Kubernetes authenticates users against the LDAP server.
If you select SAML Identity Provider, Kubernetes authenticates users against the SAML identity provider.

Deactivated

If you do not activate UAA as the OIDC provider, Kubernetes authenticates users against its internal user management system.

When you activate UAA as your OIDC provider, existing TKGI-provisioned clusters are upgraded to use OIDC. This invalidates your kubeconfig files. You must regenerate the files for all existing clusters.

Custom OIDC Provider

You can configure one or more Kubernetes clusters to use a custom OIDC provider by creating and applying a Kubernetes profile to the clusters. This overrides the global Configure created clusters to use UAA as the OIDC provider setting in the Tanzu Kubernetes Grid Integrated Edition tile > UAA.

For instructions, see Adding an OIDC Provider.

After You Configure Your OIDC Provider

If you want to give Kubernetes end users, such as developers, access to TKGI-provisioned clusters after you configure your OIDC provider, you must create Kubernetes role bindings for them.

For instructions, see Managing Cluster Access and Permissions.