×

OpenShift Container Platform includes a built-in OAuth server that you can use as an authentication provider for Red Hat Advanced Cluster Security for Kubernetes (RHACS).

Configuring OpenShift Container Platform OAuth server as an identity provider in Red Hat Advanced Cluster Security for Kubernetes

To integrate the built-in OpenShift Container Platform OAuth server as an identity provider for Red Hat Advanced Cluster Security for Kubernetes (RHACS) use the instructions in this section.

Prerequisites
  • You must have the AuthProvider permission to configure identity providers in RHACS.

  • You must have already configured users and groups in OpenShift Container Platform OAuth server through an identity provider. For information on the identity provider requirements, see Understanding identity provider configuration.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationAccess Control.

  2. Open the Add an Auth Provider menu and select OpenShift Auth.

  3. Enter a name for the authentication provider in the Name field.

  4. Choose a Minimum access role for users accessing RHACS by using the selected identity provider.

    For security, Red Hat recommends setting the Minimum access role to None while you complete setup. Later, you can return to the Access Control page to set up more tailored access rules based on user metadata from your identity provider.

  5. To add access rules for users and groups accessing RHACS, use the Rules section. For example:

    1. To give the Admin role to a user called administrator, you can use the following key-value pairs to create access rules:

      Key

      Value

      Name

      administrator

      Role

      Admin

    2. If you are using the HTPasswd Identity Provider with the username UserA that is part of the group GroupA, you can use the following key-value pairs to create access rules:

      Key

      Value

      Name

      UserA

      Group

      GroupA

      UserID

      <UUID>

  6. Click Save.

  • If you use a custom TLS certificate for OpenShift Container Platform OAuth server, you must add the CA’s root certificate to Red Hat Advanced Cluster Security for Kubernetes as a trusted root CA. Otherwise, Central cannot connect to the OpenShift Container Platform OAuth server.

  • To enable the OpenShift Container Platform OAuth server integration when installing Red Hat Advanced Cluster Security for Kubernetes using the roxctl CLI, set the ROX_ENABLE_OPENSHIFT_AUTH environment variable to true in Central:

    $ oc -n stackrox set env deploy/central ROX_ENABLE_OPENSHIFT_AUTH=true
  • For access rules, you should use the key Name to reference the user name that the OpenShift Container Platform OAuth server returns.

  • For access rules, the OpenShift Container Platform OAuth server does not return the key Email.