Red Hat OpenShift Administration III: Scaling Deployments in the Enterprise
- Section The OpenShift OAuth Server and Identity Providers
- Quiz: The OpenShift OAuth Server and Identity Providers
- LDAP Authentication and Group Synchronization
- Guided Exercise: LDAP Authentication and Group Synchronization
- Guided Exercise: Automate LDAP Group Synchronization
- OIDC Authentication and Group Claims
- Guided Exercise: OIDC Authentication and Group Claims
- Guided Exercise: Solve User Sync Conflicts
-
Token and Client Certificate Authentication with
kubeconfigFiles - Guided Exercise:
Token and Client Certificate Authentication with
kubeconfigFiles - Lab: Authentication and Identity Management
- Summary
Abstract
| Goal |
Configure OpenShift clusters to authenticate by using LDAP and OIDC enterprise identity systems and to recognize groups that those systems define. |
| Sections |
|
| Lab |
|
Define the concepts and custom resources of the OpenShift OAuth server, and explain how these resources augment Kubernetes authentication.
Authentication determines access to an OpenShift cluster, to ensure that only authenticated users can access the OpenShift cluster. To interact with an OpenShift cluster, users must authenticate to the Kubernetes API. After the user successfully authenticates to the cluster, the authorization layer either accepts or rejects the API request depending on the user's access permissions.
Authentication in Kubernetes verifies the signature validity for a token or a client certificate that the user provides. Kubernetes supports any authentication method, provided that the final result of the authentication method is a token or client certificate. Because Kubernetes cannot log in by any means by itself, you need extra tools to operationalize the external authentication methods. The core components for Kubernetes authentication are the API server and the authentication plug-ins. The API server is the central control plane component that is responsible for handling incoming requests. When a request reaches the API server, it forwards the request to the appropriate authentication plug-in. The authentication plug-in validates the provided credentials and determines whether the client is authenticated.
For example, Kubernetes considers to be authenticated any user that presents a valid certificate that is signed by a trusted certificate authority (CA).
Kubernetes reads the subject field from the certificate, and assigns the username and the groups with the common name (CN) and the organization (O) fields, respectively.
Kubernetes either accepts or rejects the API request for the user depending on the role-based access control (RBAC) rules that are configured for the username and the group.
Kubernetes rejects any request with an invalid access token or certificate by showing a 401 Unauthorized error.
If the request does not present an access token or certificate, then Kubernetes assigns to the request the system:anonymous system user and the system:unauthenticated system group.
After assigning the anonymous user to the request, Kubernetes uses RBAC policies to determine whether the anonymous user has appropriate access to perform the requested action.
System groups are explained later in this section.
OpenShift expands the Kubernetes authentication mechanisms to provide additional features and integrations with external systems. OpenShift includes its own built-in OAuth server, which is not present in Kubernetes. The OpenShift OAuth server handles user authentication, and it issues OAuth tokens that grant access to specific resources.
You can authenticate to OpenShift by using the following methods:
- X.509 client certificates
Use X.509 client certificates to authenticate to the API server. The API server validates the client certificate against a trusted certificate authority. This authentication method requires an HTTPS connection to the API server. OpenShift authentication through client certificates is the same as in Kubernetes. Client certificates are explained later in this course.
- OAuth access tokens
In OpenShift, the OpenShift control plane includes a built-in OAuth server that generates OAuth access tokens. OpenShift preconfigures Kubernetes to trust tokens that its own internal OAuth server issues. Thus, after you log in to the OpenShift OAuth server, Kubernetes authenticates the requests by trusting the tokens that the internal OAuth server issued.
OpenShift provides by default the authentication operator, which runs an internal OAuth server. The OAuth server issues OAuth access tokens to users for authenticating through the API. To configure authentication, the OpenShift OAuth server provides various identity providers (IdPs) that enable integration with identity management systems such as OpenID Connect and LDAP servers. Some provided IdPs support the custom OAuth workflows from internet services, such as GitHub. The OpenShift OAuth server works only with certain supported IdPs, and you cannot add other IdPs.
Note
A list of the supported IdPs is available at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/authentication_and_authorization/index#supported-identity-providers
The most common way to authenticate to the OpenShift cluster is to use the oc login command in the command-line interface (CLI).
The oc login command uses the OpenShift OAuth server to authenticate the user with an IdP.
Then, the OpenShift OAuth server generates an OAuth access token for the user to authenticate their API requests.
The following diagram summarizes the authentication flow when you use the oc login command:
| A user runs the |
| OpenShift sends the credentials from the |
| The internal OAuth server validates the credentials with an IdP. |
| The internal OAuth server creates an OAuth access token for the user. |
| OpenShift stores the OAuth access token in the |
You can verify the two endpoints that the oc login command uses, which are the API server and the OAuth server routes, by increasing the logging level:
[user@host ~]$oc login -u user -p password https://api.ocp4.example.com:6443 \ --loglevel 7I0929 ...] HEADhttps://api.ocp4.example.com:6443/I0929 ...] Request Headers: I0929 ...] Response Status: 403 Forbidden in 20 milliseconds I0929 ...] GSSAPI Enabled I0929 ...] GEThttps://api.ocp4.example.com:6443/.well-known/oauth-authorization-serverI0929 ...] Request Headers: I0929 ...] X-Csrf-Token: 1 I0929 ...] Response Status: 200 OK in 0 milliseconds I0929 ...] using system roots as no error was encountered I0929 ...] GEThttps://oauth-openshift.apps.ocp4.example.com/oauth/authorize?client_id=openshift-challenging-client&code_challenge=B8RP...aCtk&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.ocp4.example.com%2Foauth%2Ftoken%2Fimplicit&response_type=code...output omitted...
This authentication flow is similar when using the OpenShift web console instead of the CLI, except that the OpenShift web console stores the token in the browser memory instead of in a kubeconfig file.
The two endpoints for login, which are the API server and the OAuth server, are the reason why you must accept two server certificates the first time that you log in to the OpenShift web console.
After getting the OAuth access token, every time that the user invokes the OpenShift CLI, OpenShift uses the stored credentials in the kubeconfig file to authenticate the user to the Kubernetes API server.
The kubeconfig file details are explained later in this course.
The following diagram summarizes the flow when you use the OpenShift CLI after authenticating by using the oc login command:
| A user accesses the Kubernetes API by using the |
| OpenShift reads the credentials from the |
| OpenShift uses the credentials from the |
You can also retrieve OAuth user access tokens from the OpenShift OAuth server by using the <namespace_route>/oauth/authorize<namespace_route>/oauth/token
Note
Requesting an OAuth access token through the OpenShift REST API is out of the scope of this course. For more information about this topic, refer to https://access.redhat.com/solutions/6610781
For an IdP to validate the identity of the requester, you must configure and enable at least one IdP in the OAuth server. If a user requests a new OAuth access token, then the OAuth server uses the configured IdPs to establish the requester's identity. After the user successfully logs in to the cluster, the OAuth server creates the OAuth access token for the user, and OpenShift creates the identity and user resources.
In production clusters, it is typical to configure multiple IdPs in the internal OAuth server. The following example shows the parameters for the custom resource (CR) to configure two IdPs in the OAuth server. The example uses htpasswd and LDAP as the IdPs.
Note
Configuring the htpasswd IdP for OpenShift authentication is explained in detail in the DO280: Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster course.
apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders:- name:
htpasswd-idp-namemappingMethod:
claimtype: HTPasswd htpasswd: fileData: name:
htpasswd-secret- name:
ldap-idp-namemappingMethod:claimtype: LDAP ldap: ...output omitted...
| The |
| OpenShift prefixes the value of the identity claim with the provider name to form an identity name, and also uses the identity claim to build the redirect URL. |
| The |
| The OpenShift secret resource contains the users and passwords. |
Users, groups, and identities play a crucial role in managing access and permissions within the cluster.
Kubernetes does not have resources that represent user accounts, groups, or identities. Users and groups in Kubernetes are strings that Kubernetes reads from the client certificates or from the tokens.
For example, if you use a client certificate, then Kubernetes reads the common name (CN) and the organization (O) fields, and uses those strings for the username and the groups, respectively.
Then, Kubernetes uses the username and groups to allow or deny the API request by using the RBAC policies.
For service accounts, which Kubernetes uses mainly to grant permissions to pods and to other resources to interact with the Kubernetes API server, Kubernetes adds only the serviceaccount string to the service account certificate or token to match RBAC policies.
Service accounts are explained later in this course.
System groups or virtual groups are predefined groups that are built into the system to grant specific permissions and access rights to certain categories of users. Kubernetes creates these groups during the setup to control access to critical components and resources within the cluster. These groups are a part of cluster roles and cluster role bindings. Thus, system groups are part of the RBAC system in Kubernetes.
The following table shows some system groups in Kubernetes:
| System group | Definition |
|---|---|
system:authenticated
| All authenticated users in the cluster, regardless of their role or namespace |
system:authenticated:oauth
| All authenticated users with an OAuth access token in the cluster |
system:unauthenticated
| Unauthenticated users, meaning those users who did not yet pass any authentication process |
system:masters
| Users with administrative access to the cluster Members of this group have full control over all resources and actions within the cluster, including cluster-level operations and management. |
The Kubernetes API server adds the strings from system groups to the user and group strings from the client certificate or from the token, whenever they apply. Then, Kubernetes uses RBAC rules to approve or deny the request depending on the user and groups.
For example, if a user does not provide an access token or certificate, then Kubernetes assigns the system:unauthenticated group string to the request, and RBAC policies allow or deny the request depending on the RBAC rule configuration.
OpenShift includes the User resource, which defines regular users in the cluster.
Regular users typically represent human users who interact with the OpenShift cluster.
The OpenShift internal OAuth server automatically creates user resources when users first log in to the cluster through an IdP.
You can also manually add users to the cluster by using the Kubernetes API.
OpenShift includes the Group resource, which defines groups in the cluster.
Groups are logical collections of users with common access requirements.
OpenShift supports users as members of one or more groups, for flexible definition of access control policies.
Use groups to simplify the permissions in your cluster, to grant permissions to multiple users at the same time instead of individually.
The OpenShift internal OAuth server automatically creates group resources when users first log in to the cluster through an OpenID Connect (OIDC) IdP.
However, you must manually manage group resources in OpenShift for most of the supported IdPs, such as from LDAP.
OpenShift includes the Identity resource, which defines identities in the cluster.
The identity resource keeps a record of successful authentication attempts from a specific user and IdP.
Identities in OpenShift refer to the external identities of users.
OpenShift maps user identities from IdPs to user resources.
With identities, users can log in to OpenShift with their existing credentials from IdPs.
When a user first logs in to the cluster through an IdP, OpenShift creates a user resource and an identity resource, and maps them. OpenShift creates the user resource by using the preferred username from the IdP.
When different IdPs are configured in the OpenShift OAuth server, more than one IdP can provide the same username for a user, which causes collisions.
With the mappingMethod parameter in the OAuth server, you can control how OpenShift establishes mappings between the provider's identities and the user resource, and avoid those collisions.
You can use one of the following values:
claim: OpenShift provisions a user with the identity's preferred username. However, it fails if a user with that username is already mapped to another identity. This value is the default for themappingMethodparameter.add: OpenShift provisions a user with the identity's preferred username. If a user with that username exists in OpenShift, then it maps the identity to the existing user, and adds the new identity to any existing identity mappings for the user. Use this method when you configure multiple IdPs that identify the same set of users and map to the same usernames.lookup: OpenShift looks up an existing identity, user identity mapping, and user, but does not automatically provision users or identities. Thus, with this method you must manually provision users. With this method, cluster administrators can set up identities and users manually, or by using an external process.
OpenShift generates two authentication methods with administrative rights during the initial installation of the cluster: with the kubeadmin user, and with a client certificate for the system:admin user in a kubeconfig file.
Note
The kubeadmin user account is present only in self-managed OpenShift clusters.
Cloud services do not use the kubeadmin user.
Cloud services provide initial user credentials by using their cloud provider consoles and APIs in different ways.
The kubeadmin and system:admin users have the cluster-admin role, so OpenShift grants administrative access to these accounts by default.
Use the kubeadmin user account during the cluster setup and initialization phase only.
Red Hat recommends deleting the existing kubeadmin user after you create an administrator user with the cluster-admin role, to increase cluster security.
Thus, configure an IdP in the OAuth server and create an administrator user with the cluster-admin role before you remove the kubeadmin user.
Store the system:admin client certificate in a safe place so you can use it for recovery tasks.
The password for the kubeadmin user is available in the output that is generated when the OpenShift cluster finishes the installation, and in the corresponding log files.
This log file also provides the path for the generated kubeconfig file that contains the client certificate for the system:admin user.
The following example shows the OpenShift cluster output with the kubeadmin user details.
...output omitted... INFO Install complete! INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/home/lab/ocp4/auth/kubeconfig'iMcm5-eCy2Q-PH66E-NkyPN"
| Path for the generated |
| The |
Warning
Removing the kubeadmin user cannot be undone.
If you delete the kubeadmin user before creating another administrator user, then you lose administrator access to the OpenShift cluster and you must reinstall the cluster.
To remove the kubeadmin user from your cluster, log in as an administrator user and run the following command:
[user@host ~]$ oc delete secrets kubeadmin -n kube-systemReferences
For more information about authentication and authorization on OpenShift, refer to the Red Hat OpenShift Container Platform 4.14 Authentication and Authorization documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/authentication_and_authorization/index
For more information about OAuth, refer to the OAuth specifications web page at https://oauth.net/specs/
For more information about removing the kubeadmin user, refer to the Removing the kubeadmin User in the Red Hat OpenShift Container Platform 4.14 Authentication and Authorization documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/authentication_and_authorization/index#removing-kubeadmin
