Use Cases

Configuring kubectl for OIDC

About this task

Configure the kubectl command line tool to work with OIDC.

Steps

  1. Update your context to the cluster.

    aws eks update-kubeconfig --name tech-partners --region us-west-2

  2. Configure the kubectl OIDC login by using the Issuer URL, Client ID, and Client Secret created in the PingOne EKS application.

    ubectl oidc-login setup --oidc-issuer-url=https://sso.connect.pingidentity.com/
7e29215f-b6c3-42f5-9153-85147e3de93a --oidc-client-id=7e29215f-b6c3-42f5-9153-85147e3de93a
--oidc-client-secret=nJ1GHnQzlmyhtOLMNNOOGokiYqPc7YaZ3p7clTbF3m9KuYkdHTxfPJV53P7KovVnO

  3. Bind a Cluster Role to a PingOne account.

    kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin
--user='https://sso.connect.pingidentity.com/7e29215f-b6c3-42f5-9153-85147e3de93a
#emma.sharp@pingidentity.com'

  4. Set up the kubeconfig with the OIDC PingOne configuration.

    kubectl config set-credentials oidc \
--exec-api-version=client.authentication.k8s.io/v1beta1 \
--exec-command=kubectl \
--exec-arg=oidc-login \
--exec-arg=get-token \  --exec-arg=--oidc-issuer-url=https://sso.connect.pingidentity.com/
7e29215f-b6c3-42f5-9153-85147e3de93a \
--exec-arg=--oidc-client-id=7e29215f-b6c3-42f5-9153-85147e3de93a \ --exec-arg=--oidc-client-
secret=nJ1GHnQzlmyhtOLMNNOOGokiYqPc7YaZ3p7clTbF3m9KuYkdHTxfPJV53P7KovVnO
--exec-arg -v1

    The --exec-arg -v1 sets kubectl to verbose logging, which is useful for troubleshooting.

Result

OIDC for EKS is configured, and PingOne users can authenticate to EKS by executing any kubectl command.