check-circle-line exclamation-circle-line close-line

<

After you have deployed the OIDC-enabled cluster and configured Dex and Gangway, you can use your credentials from your external identity provider (IDP) to connect to the cluster.

Prerequisites

  1. You have deployed Dex on your management cluster by completing the steps in one of the following procedures:
  2. You have deployed an OIDC-enabled cluster by completing the steps in Deploy an Authentication-Enabled Cluster.
  3. You have enabled Gangway on your OIDC-enabled cluster by completing the steps in either of the following procedures:

Procedure

  1. If you have not already done so, add the credentials of the OIDC-enabled cluster to your kubeconfig.

    tkg get credentials my-oidc-cluster
    
  2. Set the context of kubectl to the OIDC-enabled cluster. kubectl config use-context my-oidc-cluster-admin@my-oidc-cluster
  3. Get the list of nodes that are running in the OIDC-enabled cluster.

    kubectl get nodes -owide
    

    For a cluster that is running in vSphere, you will see output similar to the following:

    NAME                                    STATUS   ROLES    AGE   VERSION            INTERNAL-IP      EXTERNAL-IP      OS-IMAGE                 KERNEL-VERSION   CONTAINER-RUNTIME
    my-oidc-cluster-control-plane-7dv69     Ready    master   47h   v1.18.2+vmware.1   10.184.111.216   10.184.111.216   VMware Photon OS/Linux   4.19.112-1.ph3   containerd://1.3.3
    my-oidc-cluster-md-0-6654f7958f-t877d   Ready    <none>   47h   v1.18.2+vmware.1   10.184.99.196    10.184.99.196    VMware Photon OS/Linux   4.19.112-1.ph3   containerd://1.3.3
    
  4. Copy the IP address of the control plane node, under EXTERNAL-IP.
  5. To access the OIDC endpoint address, go to https:// :30166 in a browser.

    You can distribute this URL to any users who need to access this cluster. Users can access the cluster provided that their IDP account has the correct permissions set. For information about how to set permissions, see Configuring Role-Based Access Control (RBAC) below.

    NOTE: Because the example in this section uses a self-signed certificate, follow the browser prompts to accept the certificates from Dex and Gangway.

    1. On the Tanzu Kubernetes Grid Authentication page at https:// :30166, users click the Sign In button.
    2. At the Log in to Your Account page, users enter their credentials from your IDP.
    3. Once they have logged in, they can download the kubeconfig file and access the cluster by using kubectl.

Configuring Role-Based Access Control (RBAC)

The kubeconfig that Gangway provides enables user authentication to clusters. For a user to be able to perform any type of create, reconfigure, update, or delete (CRUD) actions against the cluster, the appropriate cluster roles and role bindings must be defined. For information about configuring RBAC on clusters, see Using RBAC Authorization in the Kubernetes documentation.

The following example shows a cluster role binding that gives any user in an example group cluster-admin access.

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: <name>
subjects:
  - kind: Group
    name: <group-name>
    apiGroup: ""
roleRef:
  kind: ClusterRole #this must be Role or ClusterRole
  name: cluster-admin # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io