-
Initiative
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
Product / Portfolio Work
-
False
-
-
False
-
Not Selected
-
-
For all cases highlighted below, its critical that we understand how oidc tokens can be handled across different cluster for the same user:
- Our stated goals for ACM5: We aim to provide a cluster switcher/picker/redirector in OCP This is highlighted here - ACM-28258
- We also know that in today's ACM UI calls need to be made from Hub to a managed cluster going through cluster-proxy which we are covering in ACM-27173
- Again in the kubernetes mcp server multicluster calls are being made from one cluster to another through cluster-proxy.
As of now, there are a few options all of which has challenges and needs work
- Agentic-AI/MCP Server best practice recommend that we do token exchange between the different clusters. This may be complicate the UI navigation
- Conversely if the same oidc token honored across different clusters, it is easiest for UI to do SSO etc. This though may not be best from security point of view.
- Orthogonally how do we deal with customers that have a matured OIDC practice that spans multiclusters.
- Orthogonally using impersonation for cluster-proxy is not recommended
The goal here -
We need to understand the pros and cons of the different approaches and recommend a practical blueprint for customers on how to configure their OIDC based IdP across these clusters in a fleet.
A few Related documents -
https://docs.google.com/document/d/1yiK1e1x0PBg9zG5anoCJ9aUJEAI_BSlS6P44xxwDTVM/edit?tab=t.0
- is depended on by
-
ACM-27173 Review and planning to understand how RHACM can work with External OIDC Direct Auth
-
- In Progress
-