OpenID Connect

Enable external identity-based authentication for your SKS cluster using OpenID Connect (OIDC).

Enable External Authentication via OpenID Connect

Kubernetes natively supports OpenID Connect as an authentication method adding external (and more granular) access control to your SKS cluster via the OAuth2 version found in many identity providers.

At creation time, you can launch a SKS cluster by specifying the OpenID Connect parameters so that no further configuration is required to access Kubernetes control plane management.

Configuring OIDC in SKS via CLI

To configure OIDC when creating a SKS cluster, use the following CLI flags:

      --oidc-client-id string                  OpenID client ID
      --oidc-groups-claim string               OpenID JWT claim to use as the user's group
      --oidc-groups-prefix string              OpenID prefix prepended to group claims
      --oidc-issuer-url string                 OpenID provider URL
      --oidc-required-claim string             a key=value pair that describes a required claim in the OpenID Token
      --oidc-username-claim string             OpenID JWT claim to use as the user name
      --oidc-username-prefix string            OpenID prefix prepended to username claims

Neither Exoscale nor Kubernetes currently provides an OpenID Connect Identity Provider. You can use an existing public OpenID Connect Identity Provider or you can run your own Identity Provider, such as Dex or Keycloak.