Configuring kubectl for OIDC - PingOne - PingOne Risk - PingOne Cloud Platform

Configuring kubectl for OIDC - PingOne - PingOne Risk - PingOne Cloud Platform - PingOne Services

Use Cases

bundle

solution-guides

ft:publication_title

Use Cases

Product_Version_ce

category

ContentType

howtodoc

ContentType_ce

How-to

Configure the kubectl command line tool to work with OIDC.

Update your context to the cluster.

aws eks update-kubeconfig --name tech-partners --region us-west-2

Configure the kubectl OIDC login by using the Issuer URL, Client ID, and Client Secret created in the PingOne EKS application.

ubectl oidc-login setup --oidc-issuer-url=https://sso.connect.pingidentity.com/
7e29215f-b6c3-42f5-9153-85147e3de93a --oidc-client-id=7e29215f-b6c3-42f5-9153-85147e3de93a 
--oidc-client-secret=nJ1GHnQzlmyhtOLMNNOOGokiYqPc7YaZ3p7clTbF3m9KuYkdHTxfPJV53P7KovVnO

Bind a Cluster Role to a PingOne account.

kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin 
--user='https://sso.connect.pingidentity.com/7e29215f-b6c3-42f5-9153-85147e3de93a
#emma.sharp@pingidentity.com'

Set up the kubeconfig with the OIDC PingOne configuration.

kubectl config set-credentials oidc \ 
--exec-api-version=client.authentication.k8s.io/v1beta1 \
--exec-command=kubectl \
--exec-arg=oidc-login \
--exec-arg=get-token \  --exec-arg=--oidc-issuer-url=https://sso.connect.pingidentity.com/
7e29215f-b6c3-42f5-9153-85147e3de93a \
--exec-arg=--oidc-client-id=7e29215f-b6c3-42f5-9153-85147e3de93a \ --exec-arg=--oidc-client-
secret=nJ1GHnQzlmyhtOLMNNOOGokiYqPc7YaZ3p7clTbF3m9KuYkdHTxfPJV53P7KovVnO
--exec-arg -v1

Note:

The --exec-arg -v1 sets kubectl to verbose logging, which is useful for troubleshooting.

OIDC for EKS is configured, and PingOne users can authenticate to EKS by executing any kubectl command.