Use an OAuth 2.0 Identity Provider

This document describes how to use an external identity provider based on the OAuth 2.0 protocol.

The following figure shows the authentication process between KubeSphere and an external OAuth 2.0 identity provider.

oauth2

Prerequisites

You need to deploy a Kubernetes cluster and install KubeSphere in the cluster. For details, see Installing on Linux and Installing on Kubernetes.

Develop an OAuth 2.0 Plugin

备注

KubeSphere provides two built-in OAuth 2.0 plugins: GitHubIdentityProvider for GitHub and AliyunIDaasProvider for Alibaba Cloud IDaaS. You can develop other plugins according to the built-in plugins.
  1. Clone the KubeSphere repository on your local machine, go to the local KubeSphere repository, and create a package for your plugin in the /pkg/apiserver/authentication/identityprovider/ directory.

  2. In the plugin package, implement the following interfaces:

    // /pkg/apiserver/authentication/identityprovider/oauth_provider.go
    type OAuthProvider interface {
     // Exchange identity with a remote server.
     IdentityExchange(code string) (Identity, error)
    }
       
    type OAuthProviderFactory interface {
     // Return the identity provider type.
     Type() string
     // Apply settings from kubesphere-config.
     Create(options oauth.DynamicOptions) (OAuthProvider, error)
    }
    
    // /pkg/apiserver/authentication/identityprovider/identity_provider.go
    type Identity interface {
      // (Mandatory) Return the identifier of the user at the identity provider.
     GetUserID() string
      // (Optional) Return the name of the user to be referred as on KubeSphere.
     GetUsername() string
      // (Optional) Return the email address of the user.
     GetEmail() string
    }
    
  3. Register the plugin in the init() function of the plugin package.

    // Custom plugin package
    func init() {
      // Change <StructName> to the actual name of the struct that
      // implements the OAuthProviderFactory interface.
     identityprovider.RegisterOAuthProvider(&<StructName>{})
    }
    
  4. Import the plugin package in /pkg/apiserver/authentication/options/authenticate_options.go.

    // Change <CustomPackage> to the actual name of your plugin package.
    import (
     ...
     _ "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider/<CustomPackage>"
     ...
     )
    
  5. Build the image of ks-apiserver and deploy it in your cluster.

Integrate an Identity Provider with KubeSphere

  1. Log in to KubeSphere as admin, move the cursor to in the bottom-right corner, click Kubectl, and run the following command to edit the kubesphere-config ConfigMap:

    kubectl -n kubesphere-system edit cm kubesphere-config
    
  2. Configure fields other than oauthOptions:identityProviders in the data:kubesphere.yaml:authentication section. For details, see Set Up External Authentication.

  3. Configure fields in oauthOptions:identityProviders section according to the identity provider plugin you have developed.

    The following is a configuration example that uses GitHub as an external identity provider. For details, see the official GitHub documentation and the source code of the GitHubIdentityProvider plugin.

    apiVersion: v1
    data:
      kubesphere.yaml: |
        authentication:
          authenticateRateLimiterMaxTries: 10
          authenticateRateLimiterDuration: 10m0s
          jwtSecret: '******'
          oauthOptions:
            accessTokenMaxAge: 1h
            accessTokenInactivityTimeout: 30m
            identityProviders:
            - name: github
              type: GitHubIdentityProvider
              mappingMethod: auto
              provider:
                clientID: '******'
                clientSecret: '******'
                redirectURL: 'https://ks-console/oauth/redirect/github'    
    

    Similarly, you can also use Alibaba Cloud IDaaS as an external identity provider. For details, see the official Alibaba IDaaS documentation and the source code of the AliyunIDaasProvider plugin.

  4. After the kubesphere-config ConfigMap is modified, run the following command to restart ks-apiserver.

    kubectl -n kubesphere-system rollout restart deploy/ks-apiserver
    

    备注

    The KubeSphere web console is unavailable during the restart of ks-apiserver. Please wait until the restart is complete.
  5. Go to the KubeSphere login page, click Log In with XXX (for example, Log In with GitHub).

    github-login-page

  6. On the login page of the external identity provider, enter the username and password of a user configured at the identity provider to log in to KubeSphere.

    github-login-page


感谢您的反馈。如果您有关于如何使用 KubeSphere 的具体问题,请在 Slack 上提问。如果您想报告问题或提出改进建议,请在 GitHub 存储库中打开问题。