After you have deployed the OIDC-enabled cluster and configured Dex and Gangway, you can use your credentials from your external identity provider (IDP) to connect to the cluster.
If you have not already done so, add the credentials of the OIDC-enabled cluster to your
tkg get credentials my-oidc-cluster
kubectlto the OIDC-enabled cluster.
kubectl config use-context my-oidc-cluster-admin@my-oidc-cluster
Get the list of nodes that are running in the OIDC-enabled cluster.
kubectl get nodes -owide
For a cluster that is running in vSphere, you will see output similar to the following:
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME my-oidc-cluster-control-plane-7dv69 Ready master 47h v1.18.2+vmware.1 10.184.111.216 10.184.111.216 VMware Photon OS/Linux 4.19.112-1.ph3 containerd://1.3.3 my-oidc-cluster-md-0-6654f7958f-t877d Ready <none> 47h v1.18.2+vmware.1 10.184.99.196 10.184.99.196 VMware Photon OS/Linux 4.19.112-1.ph3 containerd://1.3.3
To access the OIDC endpoint address, go to https://
You can distribute this URL to any users who need to access this cluster. Users can access the cluster provided that their IDP account has the correct permissions set. For information about how to set permissions, see Configuring Role-Based Access Control (RBAC) below.
NOTE: Because the example in this section uses a self-signed certificate, follow the browser prompts to accept the certificates from Dex and Gangway.
kubeconfigfile and access the cluster by using
kubeconfig that Gangway provides enables user authentication to clusters. For a user to be able to perform any type of create, reconfigure, update, or delete (CRUD) actions against the cluster, the appropriate cluster roles and role bindings must be defined. For information about configuring RBAC on clusters, see Using RBAC Authorization in the Kubernetes documentation.
The following example shows a cluster role binding that gives any user in an example group
kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: <name> subjects: - kind: Group name: <group-name> apiGroup: "" roleRef: kind: ClusterRole #this must be Role or ClusterRole name: cluster-admin # this must match the name of the Role or ClusterRole you wish to bind to apiGroup: rbac.authorization.k8s.io