Gardener

Appearance

Settings ​

Packages:

settings.gardener.cloud/v1alpha1

Resource Types:

ClusterOpenIDConnectPreset

ClusterOpenIDConnectPreset is a OpenID Connect configuration that is applied to a Shoot objects cluster-wide.

Field Description
metadata
ObjectMeta 		Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ClusterOpenIDConnectPresetSpec

Spec is the specification of this OpenIDConnect preset.

ClusterOpenIDConnectPresetSpec

(Appears on:ClusterOpenIDConnectPreset)

ClusterOpenIDConnectPresetSpec contains the OpenIDConnect specification and project selector matching Shoots in Projects.

Field Description
server
KubeAPIServerOpenIDConnect

Server contains the kube-apiserver's OpenID Connect configuration.
This configuration is not overwriting any existing OpenID Connect
configuration already set on the Shoot object.
shootSelector
LabelSelector 		(Optional)

ShootSelector decides whether to apply the configuration if the
Shoot has matching labels.
Use the selector only if the OIDC Preset is opt-in, because end
users may skip the admission by setting the labels.
Default to the empty LabelSelector, which matches everything.
weight
integer

Weight associated with matching the corresponding preset,
in the range 1-100.
Required.
projectSelector
LabelSelector 		(Optional)

Project decides whether to apply the configuration if the
Shoot is in a specific Project matching the label selector.
Use the selector only if the OIDC Preset is opt-in, because end
users may skip the admission by setting the labels.
Defaults to the empty LabelSelector, which matches everything.

KubeAPIServerOpenIDConnect

(Appears on:ClusterOpenIDConnectPresetSpec, OpenIDConnectPresetSpec)

KubeAPIServerOpenIDConnect contains configuration settings for the OIDC provider. Note: Descriptions were taken from the Kubernetes documentation.

Field Description
caBundle
string 		(Optional)

If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.
clientID
string

The client ID for the OpenID Connect client.
Required.
groupsClaim
string 		(Optional)

If provided, the name of a custom OpenID Connect claim for specifying user groups. The claim value is expected to be a string or array of strings. This field is experimental, please see the authentication documentation for further details.
groupsPrefix
string 		(Optional)

If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.
issuerURL
string

The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).
Required.
requiredClaims
object (keys:string, values:string) 		(Optional)

key=value pairs that describes a required claim in the ID Token. If set, the claim is verified to be present in the ID Token with a matching value.
signingAlgs
string array 		(Optional)

List of allowed JOSE asymmetric signing algorithms. JWTs with a 'alg' header value not in this list will be rejected. Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1
Defaults to [RS256]
usernameClaim
string 		(Optional)

The OpenID claim to use as the user name. Note that claims other than the default ('sub') is not guaranteed to be unique and immutable. This field is experimental, please see the authentication documentation for further details.
Defaults to "sub".
usernamePrefix
string 		(Optional)

If provided, all usernames will be prefixed with this value. If not provided, username claims other than 'email' are prefixed by the issuer URL to avoid clashes. To skip any prefixing, provide the value '-'.

OpenIDConnectClientAuthentication

OpenIDConnectClientAuthentication contains configuration for OIDC clients.

Field Description
secret
string 		(Optional)

The client Secret for the OpenID Connect client.
extraConfig
object (keys:string, values:string) 		(Optional)

Extra configuration added to kubeconfig's auth-provider.
Must not be any of idp-issuer-url, client-id, client-secret, idp-certificate-authority, idp-certificate-authority-data, id-token or refresh-token

OpenIDConnectPreset

OpenIDConnectPreset is a OpenID Connect configuration that is applied to a Shoot in a namespace.

Field Description
metadata
ObjectMeta 		Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
OpenIDConnectPresetSpec

Spec is the specification of this OpenIDConnect preset.

OpenIDConnectPresetSpec

(Appears on:ClusterOpenIDConnectPresetSpec, OpenIDConnectPreset)

OpenIDConnectPresetSpec contains the Shoot selector for which a specific OpenID Connect configuration is applied.

Field Description
server
KubeAPIServerOpenIDConnect

Server contains the kube-apiserver's OpenID Connect configuration.
This configuration is not overwriting any existing OpenID Connect
configuration already set on the Shoot object.
shootSelector
LabelSelector 		(Optional)

ShootSelector decides whether to apply the configuration if the
Shoot has matching labels.
Use the selector only if the OIDC Preset is opt-in, because end
users may skip the admission by setting the labels.
Default to the empty LabelSelector, which matches everything.
weight
integer

Weight associated with matching the corresponding preset,
in the range 1-100.
Required.
EU and German government funding logos

Funded by the European Union – NextGenerationEU.

The views and opinions expressed are solely those of the author(s) and do not necessarily reflect the views of the European Union or the European Commission. Neither the European Union nor the European Commission can be held responsible for them.

Copyright © Linux Foundation Europe.

Settings | Gardener is a project of the Open Component Model Community. For applicable policies including privacy policy, terms of use and trademark usage guidelines, please see https://linuxfoundation.eu. Linux is a registered trademark of Linus Torvalds.

Building this site is powered by
Terms of Use|Privacy Statement|Legal Disclosure