Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-2658

Layered Operators Validation with OpenShift Bring Your Own External Authentication

XMLWordPrintable

    • Icon: Outcome Outcome
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • None
    • Product / Portfolio Work
    • 0% To Do, 0% In Progress, 100% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • None

      Outcome Overview

      Bring Your Own (BYO) External Authentication will be GA in OCP 4.20. This feature allows customers to bring their own OIDC identity providers to authenticate directly with OpenShift APIs, enabling them to use their corporate identity systems as the source of truth for cluster access. BYO supports multiple identity providers, structured authentication configurations compatible with upstream Kubernetes, RBAC integration, and seamless switching between OpenShift OAuth and external identity flows.

      The purpose of this outcome is to ensure that all layered product operators on OpenShift work correctly when BYO External Authentication is enabled. Customers are expected to configure their identity providers according to standard OIDC protocols and workflows, including user/group mapping and authentication flows supported by Kubernetes.

      The outcome will be achieved through a phased validation approach, where layered product teams:

      • Test their operators under BYO authentication in controlled environments.
      • Identify gaps or required adjustments for full compatibility.
      • Create their own JIRAs to track any changes or enhancements necessary for GA readiness.

      This approach ensures that operators continue to function correctly when customers bring their own OIDC identity providers, RBAC behavior remains consistent, and enterprises can adopt BYO authentication confidently without disrupting existing operator-driven workflows. Ultimately, this supports enterprise identity governance, multi-cluster consistency, and smoother adoption of OCP 4.20’s authentication capabilities.

       

      Success Criteria

      What is the success criteria for this strategic outcome?  Avoid listing Features or Initiatives and instead describe "what must be true" for the outcome to be considered delivered.

      • A phased validation approach is executed across all layered products, with clear progress tracked.
      • Layered product teams have identified operator-specific gaps or adjustments and created their own JIRAs to track remediation or enhancements.
      • Operators function correctly when BYO External Authentication is enabled, including correct RBAC behavior and identity mapping.
      • No operator requires the OpenShift OAuth server solely for compatibility.
      • Overall readiness for BYO External Authentication is confirmed at the outcome level.

       

      Expected Results (what, how, when)

      What incremental impact do you expect to create toward the company's Strategic Goals by delivering this outcome?  (possible examples:  unblocking sales, shifts in product metrics, etc. {} provide links to metrics that will be used post-completion for review & pivot decisions). {}For each expected result, list +what you will measure and when you will measure it (ex. provide links to existing information or metrics that will be used post-completion for review and specify when you will review the measurement such as 60 days after the work is complete)

       __ 

      Phased Approach

      1. Phase 1 – Works out of the box (OCP 4.21, In Progress)
        • Operators function correctly under BYO External Authentication without requiring any changes.
      1. Phase 2 – Requires adjustments (OCP 4.22, Planned)
        • Operators may require updates to handle:
          • RBAC mapping
          • Identity mapping for users/groups
          • Authentication-dependent workflows or integrations
      1. Phase 3 – Advanced integrations (OCP 4.23, Early stages)
        • Operators with deep integration into authentication flows, such as:
          • Exec plugins
          • Custom authentication flows

      Post Completion Review – Actual Results

      After completing the work (as determined by the "when" in Expected Results above), list the actual results observed / measured during Post Completion review(s).

      Responsibilities

      OpenShift Auth Team - Provide technical guidance and answer questions Layered Product teams may have

      Operator Program - Coordinate the initiative across all Layered Product teams and the OLM team

      Layered Product Teams - Test their operators with BYO External Auth, report their findings to the Operator Program for compilation and make any changes necessary to allow their operator to work with BYO External Auth. 

      Resources

      https://issues.redhat.com/browse/OCPSTRAT-1804 (GA tracker for BYO External Auth)

      https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/authentication_and_authorization/external-auth (Docs) 

      FAQs - https://docs.google.com/document/d/1bQP_gX2EeMhA52mkyCDbmiSan-gssXk1i3jcb3CReCY/edit?usp=sharing

      OLM Tracker (Draft)  - https://docs.google.com/spreadsheets/d/18YANslWtgDPpwYwhYs1EJlitEpKZpqYdtLSkr1iUOtM/edit?usp=sharing

       

              atelang@redhat.com Anjali Telang
              atelang@redhat.com Anjali Telang
              Ben Luddy, Bryce Palmer, Ilias Rinis, Kevin Rizza, Ramona Sidharta, Seth Jennings, Xingxing Xia
              Ben Luddy Ben Luddy
              Xingxing Xia Xingxing Xia
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: