Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1804

Enhancements to Bring Your Own External OIDC based Auth provider for direct API Server access [Standalone OCP]

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 100% To Do, 0% In Progress, 0% Done
    • 1
    • 0
    • Program Call

      Feature Overview (aka. Goal Summary)  

      The ability in OpenShift to create trust and directly consume access tokens issued by external OIDC Authentication Providers using an authentication approach similar to upstream Kubernetes.

      BYO Identity will help facilitate CLI only workflows and capabilities of the Authentication Provider (such as Keycloak, Dex, Azure AD) similar to upstream Kubernetes. 

      This feature will add more capabilities such as Multiple IDP support as well as support for any fields in Structured Auth not already added in the BYO OAuth implementation in 4.18. 

      Goals (aka. expected user outcomes)

      All the abilities in BYO implementation mentioned earlier -> Ability in OpenShift to provide a direct, pluggable Authentication workflow such that the OpenShift/K8s API server can consume access tokens issued by external OIDC identity providers. Kubernetes provides this integration as described here. Customer/Users can then configure their IDPs to support the OIDC protocols and workflows they desire such as Client credential flow.

      OpenShift OAuth server is still available as default option, with the ability to tune in the external OIDC provider as a Day-2 configuration.

      + Multiple IDP support

      + Any Strucutured Auth enhancements needed that are not automatically added in the implementation __ 

      Requirements (aka. Acceptance Criteria):

      1. The customer should be able to tie into RBAC functionality, similar to how it is closely aligned with OpenShift OAuth 

      2.  

      Use Cases (Optional):

      1. As a customer, I would like to integrate my OIDC Identity Provider directly with the OpenShift API server.
      2. As a customer in multi-cluster cloud environment, I have both K8s and non-K8s clusters using my IDP and hence I need seamless authentication directly to the OpenShift/K8sAPI using my Identity Provider 
      3.  

      Questions to Answer (Optional):

      Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

       

      Out of Scope

      High-level list of items that are out of scope.  Initial completion during Refinement status.

       

      Background

      Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

       

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

       

      Documentation Considerations

      Provide information that needs to be considered and planned so that documentation will meet customer needs.  Initial completion during Refinement status.

       

      Interoperability Considerations

      Which other projects and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

              atelang@redhat.com Anjali Telang
              atelang@redhat.com Anjali Telang
              David Eads
              Ilias Rinis Ilias Rinis
              Xingxing Xia Xingxing Xia
              Andrea Hoffer Andrea Hoffer
              David Eads David Eads
              Anjali Telang Anjali Telang
              Eric Rich Eric Rich
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: