Use an OAuth 2.0 Identity Provider

The following figure shows the authentication process between KubeSphere and an external OAuth 2.0 identity provider.

You need to deploy a Kubernetes cluster and install KubeSphere in the cluster. For details, see Installing on Linux and .

Note

KubeSphere provides two built-in OAuth 2.0 plugins: GitHubIdentityProvider for GitHub and for Alibaba Cloud IDaaS. You can develop other plugins according to the built-in plugins.

1. Clone the KubeSphere repository on your local machine, go to the local KubeSphere repository, and create a package for your plugin in the directory.

2. // /pkg/apiserver/authentication/identityprovider/identity_provider.go
   type Identity interface {
     // (Mandatory) Return the identifier of the user at the identity provider.
    GetUserID() string
     // (Optional) Return the name of the user to be referred as on KubeSphere.
    GetUsername() string
     // (Optional) Return the email address of the user.
    GetEmail() string
   }

3. Import the plugin package in /pkg/apiserver/authentication/options/authenticate_options.go.

   // Change <CustomPackage> to the actual name of your plugin package.
    ...
    _ "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider/<CustomPackage>"
    ...
    )

4. and deploy it in your cluster.

1. Log in to KubeSphere as admin, move the cursor to in the lower-right corner, click kubectl, and run the following command to edit ks-installer of the CRD ClusterConfiguration:

2. Configure fields other than oauthOptions:identityProviders in the spec:authentication section. For details, see Set Up External Authentication.

3. Configure fields in oauthOptions:identityProviders section according to the identity provider plugin you have developed.

   spec:
     authentication:
       authenticateRateLimiterDuration: 10m0s
       oauthOptions:
         accessTokenMaxAge: 1h
         accessTokenInactivityTimeout: 30m
         identityProviders:
         - name: github
           type: GitHubIdentityProvider
           mappingMethod: auto
           provider:
             clientID: '******'
             clientSecret: '******'
   

   Similarly, you can also use Alibaba Cloud IDaaS as an external identity provider. For details, see the official and the source code of the AliyunIDaasProvider plugin.

4. After the fields are configured, save your changes, and wait until the restart of ks-installer is complete.

   Note

   The KubeSphere web console is unavailable during the restart of ks-installer. Please wait until the restart is complete.

5. Go to the KubeSphere login page, click Log In with XXX (for example, Log In with GitHub).