Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-306

Support for bring your own external OIDC based Auth provider for direct API Server access [Standalone OCP NOT HCP]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • 46
    • 46% 46%
    • 1
    • 0
    • 0
    • Program Call

      Feature Overview (aka. Goal Summary)  

      The ability in OpenShift to create trust and directly consume access tokens issued by external OIDC Authentication Providers using an authentication approach similar to upstream Kubernetes.

      BYO Identity will help facilitate CLI only workflows and capabilities of the Authentication Provider (such as Keycloak, Dex, Azure AD) similar to upstream Kubernetes. 

      Goals (aka. expected user outcomes)

      Ability in OpenShift to provide a direct, pluggable Authentication workflow such that the OpenShift/K8s API server can consume access tokens issued by external OIDC identity providers. Kubernetes provides this integration as described here. Customer/Users can then configure their IDPs to support the OIDC protocols and workflows they desire such as Client credential flow.

      OpenShift OAuth server is still available as default option, with the ability to tune in the external OIDC provider as a Day-2 configuration.

      Requirements (aka. Acceptance Criteria):

      1. The customer should be able to tie into RBAC functionality, similar to how it is closely aligned with OpenShift OAuth 

      2.  

      Use Cases (Optional):

      1. As a customer, I would like to integrate my OIDC Identity Provider directly with the OpenShift API server.
      2. As a customer in multi-cluster cloud environment, I have both K8s and non-K8s clusters using my IDP and hence I need seamless authentication directly to the OpenShift/K8sAPI using my Identity Provider 
      3.  

      Questions to Answer (Optional):

      Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

       

      Out of Scope

      High-level list of items that are out of scope.  Initial completion during Refinement status.

       

      Background

      Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

       

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

       

      Documentation Considerations

      Provide information that needs to be considered and planned so that documentation will meet customer needs.  Initial completion during Refinement status.

       

      Interoperability Considerations

      Which other projects and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

            atelang@redhat.com Anjali Telang
            atelang@redhat.com Anjali Telang
            David Eads
            Xingxing Xia Xingxing Xia
            Andrea Hoffer Andrea Hoffer
            David Eads David Eads
            Anjali Telang Anjali Telang
            Eric Rich Eric Rich
            Votes:
            4 Vote for this issue
            Watchers:
            42 Start watching this issue

              Created:
              Updated: