The OpenShift Container Platform master includes a built-in OAuth server. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API.
As an administrator, you can configure OAuth to specify an identity provider after you install your cluster.
By default, only a
kubeadmin user exists on your cluster. To specify an
identity provider, you must create a Custom Resource (CR) that describes
that identity provider and add it to the cluster.
OpenShift Container Platform user names containing
You can configure the following types of identity providers:
Once an identity provider has been defined, you can use RBAC to define and apply permissions.
After you define an identity provider and create a new
user, you can remove the
kubeadmin to improve cluster security.
If you follow this procedure before another user is a
You must have configured at least one identity provider.
You must have added the
cluster-admin role to a user.
You must be logged in as an administrator.
$ oc delete secrets kubeadmin -n kube-system
The following parameters are common to all identity providers:
The provider name is prefixed to provider user names to form an identity name.
Defines how new identities are mapped to users when they log in. Enter one of the following values:
When adding or changing identity providers, you can map identities from the new
provider to existing users by setting the
mappingMethod parameter to
The following Custom Resource (CR) shows the parameters and default values that you use to configure an identity provider. This example uses the HTPasswd identity provider.
- name: my_identity_provider (1)
mappingMethod: claim (2)
name: htpass-secret (3)
|This provider name is prefixed to provider user names to form an identity name.
|Controls how mappings are established between this provider’s identities and user objects.
|An existing secret containing a file generated using