Identity Providers

The OKD master includes a built-in OAuth server. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API.

As an administrator, you can configure OAuth to specify an identity provider after you install your cluster.

By default, only a kubeadmin user exists on your cluster. To specify an identity provider, you must create a custom resource (CR) that describes that identity provider and add it to the cluster.

You can configure the following types of identity providers:

Identity provider Description
HTPasswd Configure the htpasswd identity provider to validate user names and passwords against a flat file generated using htpasswd.
Keystone Configure the keystone identity provider to integrate your OKD cluster with Keystone to enable shared authentication with an OpenStack Keystone v3 server configured to store users in an internal database.
LDAP Configure the ldap identity provider to validate user names and passwords against an LDAPv3 server, using simple bind authentication.
Basic authentication Configure a basic-authentication identity provider for users to log in to OKD cluster with credentials validated against a remote identity provider. Basic authentication is a generic backend integration mechanism.
Request header Configure a request-header identity provider to identify users from request header values, such as X-Remote-User. It is typically used in combination with an authenticating proxy, which sets the request header value.
GitHub or GitHub Enterprise Configure a github identity provider to validate user names and passwords against GitHub or GitHub Enterprise’s OAuth authentication server.
GitLab Configure a gitlab identity provider to use or any other GitLab instance as an identity provider.
Google Configure a google identity provider using Google’s OpenID Connect integration.
OpenID Connect Configure an oidc identity provider to integrate with an OpenID Connect identity provider using an Authorization Code Flow.

The OAuth custom resource must be updated with your desired identity provider. You can define multiple identity providers, of the same or different kinds, on the same OAuth custom resource.