Secure your OpenShift 4 cluster with OpenID Connect authentication

OpenShift, starting with the version 4, is installed with a temporary administrator account, kubeadmin. When searching for a definitive solution, it might be tempting to go for the very classical “login and password” prompt, backed by an htpasswd file. But this is yet another password to remember!

OpenShift can handle the OpenID Connect protocol and thus offers Single Sign On to its users. No additional password to remember: you can login to the OpenShift console with your Google Account for instance.

Pre-requisites

The rest of this article assumes you have already setup your OpenID Connect client in the Google Developer Console as explained in this article: Use your Google Account as an OpenID Connect provider.

Then, create a secret in the openshift-config namespace containing the client secret generated by the Google Developer Console.

oc create secret generic google-client-secret --from-literal=clientSecret="<YOUR CLIENT_SECRET>" -n openshift-config

The rest of the procedure differs, depending if you are the member of a Google Suite or a regular GMail user.

Configure Google Authentication in OpenShift 4 for Google Suite users

Create an OAuth object in the openshift-config namespace. Do not forget to add the Client ID generated by the Google Developer Console in the clientID field. You will also have to set the custom domain of your Google Suite in the hostedDomain field.

oc apply -f - <<EOF
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
  namespace: openshift-config
spec:
  identityProviders:
  - name: Google
    mappingMethod: claim
    type: Google
    google:
      clientID: "<YOUR CLIENT_ID>.apps.googleusercontent.com"
      clientSecret:
        name: google-client-secret
      hostedDomain: "example.com"
EOF

If you have a Google Suite, there is nothing more to configure. You can login to the OpenShift Console with your Google account!

You can even work collaboratively since every user of your Google Suite can login and use your OpenShift cluster! If you do not want to share your OpenShift cluster, you can disable the self-provisioner role.

Configure Google Authentication in OpenShift 4 for regular GMail users

If you have only a regular Gmail account, the procedure is a bit different and slightly longer.

You will need to set the mappingMethod field to lookup and leave the hostedDomain field empty.

oc apply -f - <<EOF
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: Google
    mappingMethod: lookup
    type: Google
    google:
      clientID: "<YOUR CLIENT_ID>.apps.googleusercontent.com"
      clientSecret:
        name: google-client-secret
      hostedDomain: ""
EOF

If you try to login on the OpenShift console with your GMail account, it will fail with the following message: “Could not find user”. This is expected since we have not yet create the matching user in OpenShift.

Create a user.

oc create user nicolas --full-name="Nicolas MASSE"

Then, retrieve your Google internal User ID from the OpenShift OAuth logs.

for pod in $(oc get pods -l app=oauth-openshift -o name -n openshift-authentication); do
  oc logs --tail=10 $pod -n openshift-authentication | grep useridentitymapping.user.openshift.io
done

You should get at least one line looking as such:

E0417 14:18:55.872542       1 errorpage.go:26] AuthenticationError: lookup of user for "Google:114331641802984310666" failed: useridentitymapping.user.openshift.io "Google:114331641802984310666" not found

The string behind “Google:” is your Google internal User ID.

Create an OpenShift identity object from such internal user ID.

oc create identity Google:114331641802984310666

Finally, create an identity mapping between this identity and the user you created earlier.

oc create useridentitymapping Google:114331641802984310666 nicolas

And now you can login on your OpenShift 4 cluster with your GMail account!