Use an OAuth 2.0 Identity Provider

The following figure shows the authentication process between KubeSphere and an external OAuth 2.0 identity provider.

You need to deploy a Kubernetes cluster and install KubeSphere in the cluster. For details, see Installing on Linux and .

Note

KubeSphere provides two built-in OAuth 2.0 plugins: GitHubIdentityProvider for GitHub and for Alibaba Cloud IDaaS. You can develop other plugins according to the built-in plugins.

1. Clone the KubeSphere repository on your local machine, go to the local KubeSphere repository, and create a package for your plugin in the directory.

2. // /pkg/apiserver/authentication/identityprovider/identity_provider.go
   type Identity interface {
     // (Mandatory) Return the identifier of the user at the identity provider.
    GetUserID() string
     // (Optional) Return the name of the user to be referred as on KubeSphere.
    GetUsername() string
     // (Optional) Return the email address of the user.
    GetEmail() string
   }

3. Register the plugin in the init() function of the plugin package.

4. Import the plugin package in /pkg/apiserver/authentication/options/authenticate_options.go.

   import (
    ...
    ...
    )

5. and deploy it in your cluster.

1. Log in to KubeSphere as admin, move the cursor to in the bottom-right corner, click Kubectl, and run the following command to edit the kubesphere-config ConfigMap:

2. Configure fields other than oauthOptions:identityProviders in the data:kubesphere.yaml:authentication section. For details, see Set Up External Authentication.

3. Configure fields in oauthOptions:identityProviders section according to the identity provider plugin you have developed.

   apiVersion: v1
   data:
     kubesphere.yaml: |
       authentication:
         authenticateRateLimiterMaxTries: 10
         authenticateRateLimiterDuration: 10m0s
         loginHistoryRetentionPeriod: 7d
         multipleLogin: true
         kubectlImage: kubesphere/kubectl:v1.0.0
         jwtSecret: '********'
         oauthOptions:
           accessTokenMaxAge: 1h
           accessTokenInactivityTimeout: 30m
           identityProviders:
           - name: GitHub
             type: GitHubIdentityProvider
             mappingMethod: auto
             provider:
               clientID: 'Iv1.547165ce1cf2f590'
               clientSecret: '********'
               redirectURL: 'https://ks-console/oauth/redirect'

   Similarly, you can also use Alibaba Cloud IDaaS as an external identity provider. For details, see the official and the source code of the AliyunIDaasProvider plugin.

4. After the ConfigMap is modified, run the following command to restart ks-apiserver.

   Note

   The KubeSphere web console is unavailable during the restart of ks-apiserver. Please wait until the restart is complete.

5. Go to the KubeSphere login page, click Log In with XXX (for example, Log In with GitHub).