Configure the kubectl command line tool to work with OIDC.
-
Update your context to the cluster.
aws eks update-kubeconfig --name tech-partners --region us-west-2
-
Configure the kubectl OIDC login by using the Issuer
URL, Client ID, and Client
Secret created in the PingOne EKS application.
ubectl oidc-login setup --oidc-issuer-url=https://sso.connect.pingidentity.com/ 7e29215f-b6c3-42f5-9153-85147e3de93a --oidc-client-id=7e29215f-b6c3-42f5-9153-85147e3de93a --oidc-client-secret=nJ1GHnQzlmyhtOLMNNOOGokiYqPc7YaZ3p7clTbF3m9KuYkdHTxfPJV53P7KovVnO
-
Bind a Cluster Role to a PingOne
account.
kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user='https://sso.connect.pingidentity.com/7e29215f-b6c3-42f5-9153-85147e3de93a #emma.sharp@pingidentity.com'
-
Set up the kubeconfig with the OIDC PingOne configuration.
kubectl config set-credentials oidc \ --exec-api-version=client.authentication.k8s.io/v1beta1 \ --exec-command=kubectl \ --exec-arg=oidc-login \ --exec-arg=get-token \ --exec-arg=--oidc-issuer-url=https://sso.connect.pingidentity.com/ 7e29215f-b6c3-42f5-9153-85147e3de93a \ --exec-arg=--oidc-client-id=7e29215f-b6c3-42f5-9153-85147e3de93a \ --exec-arg=--oidc-client- secret=nJ1GHnQzlmyhtOLMNNOOGokiYqPc7YaZ3p7clTbF3m9KuYkdHTxfPJV53P7KovVnO --exec-arg -v1
Note:The
--exec-arg -v1
sets kubectl to verbose logging, which is useful for troubleshooting.