User authentication

User authentication is provided out of the box, however, you do have to hand on a prepared Kubeconfig file to your users.

Prerequisites

Kubeconfig

Ensure you are authenticated with an administrator Kubeconfig file.

Pinniped

Pinniped is a Kubernetes authentication provider that allows you to authenticate to a cluster using OIDC.

Install Pinniped

Tip

We recommend using the same version as the Pinniped server version.

Retrieve it with:

$ kubectl get deployment -n k8saas-system pinniped-supervisor -o jsonpath='{.spec.template.spec.containers[0].image}'
[...]/pinniped:vX.X.X

Generate the Kubeconfig

Use the Pinniped CLI to generate the Kubeconfig file for your cluster:

$ pinniped get kubeconfig \
  --output ./kubeconfig-pinniped.yaml

Tip

If you’re working with a private PKI, you will want to include the CA bundle in the generated kubeconfig. Use the following command instead:

$ pinniped get kubeconfig \
  --oidc-ca-bundle <(kubectl get secret -n k8saas-system tls-keycloak -o jsonpath={.data.ca\\.crt} | base64 -d) \
  --output ./kubeconfig-pinniped.yaml

The ./kubeconfig-pinniped.yaml file will be created in your current directory. This file contains the necessary information for your users to authenticate to the cluster using OIDC. Hand them the file toghether with the pinniped server version, and instruct them to follow the Authenticate to the cluster guide.