Tanzu Kubernetes Grid implements user authentication with Pinniped. Pinniped allows you to plug external OpenID Connect (OIDC) or LDAP identity providers (IDP) into Tanzu Kubernetes clusters, so that you can control user access to those clusters. Pinniped is an open-source authentication service for Kubernetes clusters. If you use LDAP authentication, Pinniped uses Dex as the endpoint to connect to your upstream LDAP identity provider. If you use OIDC, Pinniped provides its own endpoint, so Dex is not required. Pinniped and Dex run automatically as in-cluster services in your management clusters if you enable identity management during management cluster deployment.
The process for implementing identity management is as follows:
kubeconfigfor the workload cluster to the user.
kubeconfigto connect the workload cluster to the Tanzu Kubernetes cluster, for example by running
kubectl get pods --kubeconfig <kubeconfig-file>.
kubectl get podsrequest, depending on the permissions of the user's role.
In the image below, the blue arrows represent the authentication flow between the workload cluster, the management cluster and the external IDP. The green arrows represent Tanzu CLI and
kubectl traffic between the workload cluster, the management cluster and the external IDP.
The image below shows the identity management components that are deployed in the management cluster and in Tanzu Kubernetes clusters.
Before you can deploy a management cluster with identity management enabled, you must have an identity provider. Tanzu Kubernetes Grid supports LDAPS and OIDC identity providers.
To use your company's internal LDAPS server as the identity provider, obtain LDAPS information from your LDAP administrator.
To use OIDC as the identity provider, you must have an account with an IDP that supports the OpenID Connect standard, for example Okta.
To use Okta as your OIDC provider, you must create an account with Okta and register an application for Tanzu Kubernetes Grid with your account.
Enter a placeholder Login redirect URI.
For example, enter
http://localhost:8080/callback. You will update this with the real URL after you deploy the management cluster.
In the General tab for your application, copy and save the Client ID and Client secret.
You will need these credentials when you deploy the management cluster.
In the Assignments tab, assign people and groups to the application.
The people and groups that you assign to the application will be the users who can access the management cluster and the Tanzu Kubernetes clusters that you use it to deploy.
You can now deploy management clusters that implement identity management, to restrict access to clusters to authorized users.
If you implement identity management, after you deploy the management cluster, there are post-deployment steps to perform, that are described in Configure Identity Management After Management Cluster Deployment.