This article introduces a new feature for Red Hat OpenShift Service on AWS (ROSA) with hosted control planes that simplifies authentication and authorization workflows through direct integration with your existing OpenID Connect (OIDC) compliant identity providers (IdPs). Now you can seamlessly leverage your corporate identity tokens to access the Red Hat OpenShift and Kubernetes APIs on ROSA with hosted control planes (HCP).
Benefits you'll experience:
- Simplified authentication: No need to manage separate credentials for ROSA. Just use your familiar corporate identity, making access easier and more secure.
- Unified access control: Bring your existing user and group management policies into ROSA. Manage permissions consistently across your organization with a single, unified approach.
- Streamlined automation: Automate tasks across hybrid and multicloud environments. Your existing workflows can be reused to interact with ROSA thanks to a shared identity provider.
Behind the scenes details
This integration follows standard Kubernetes OIDC authentication configuration for a smooth, familiar experience. We've tested it with well-known IdPs like Microsoft Entra ID (formerly Azure Active Directory) and Red Hat build of Keycloak to ensure compatibility. Additionally, we leverage Cluster API (CAPI) for seamless provisioning and management of your clusters with this enhanced authentication model.
To better understand the flow, let’s examine the change through the eyes of Alice, Bob, and Carol, illustrated in Figure 1.
Meet Alice, the platform engineer
Alice is the platform engineer who oversees the setup and maintenance of all ROSA clusters. Before, managing separate credentials for ROSA added unnecessary complexity and risk due to the added overhead. With external OIDC, Alice can:
- Simplify her workflow: By connecting ROSA with the company's existing OIDC provider, Alice utilizes familiar tools and streamline access management.
- Enhance security: Centralizing authentication and authorization practices minimizes the risk of compromised credentials.
What Alice needs to do:
- Register an OAuth client: Coordinate with the OIDC provider to set up an OAuth client tailored for user and group management. More details can be found in Tutorials for Red Hat OpenShift Service on AWS 4.
Meet Bob, the cluster administrator
Bob is the cluster administrator tasked with managing permissions for different teams within the organization across multiple clusters. Previously, for each cluster Bob needed to administer, he had to replicate these permissions across the fleet of ROSA clusters he manages, which was both time-consuming and prone to errors. Now, Bob can:
- Save time: By integrating the company's existing Identity Provider (IdP), Bob streamlines permissions across all the ROSA clusters, ensuring consistency and reducing manual tasks.
- Empower teams: With this integration, teams utilize their existing credentials to access ROSA, eliminating the need for Bob to create and manage separate accounts.
What Bob needs to do:
- Create a ROSA cluster with external authentication enabled:
rosa create cluster --hosted-cp --region --external-auth-providers=enabled .... - Configure the external authentication provider:
rosa create external-auth-provider. - (Optional) Set up break-glass credentials for emergency access:
rosa create break-glass-credentials. - Defines the necessary RBAC roles and permissions for users and groups.
Meet Carol, the developer
As a developer, Carol's role involves accessing ROSA clusters to deploy and manage applications. Previously, juggling multiple logins was both frustrating and inefficient. Now, Carol can:
- Focus on development: Using a unified set of credentials, Carol efficiently navigates between different environments, enhancing her productivity.
- Easily access resources: The streamlined login process with external OIDC reduces the hassle of managing multiple passwords or tokens, allowing Carol to focus more on her development tasks.
What Carol needs to do:
- Authenticate with corporate credentials: Log in using her corporate credentials to obtain a token from the IdP.
- Use that token to directly access OpenShift/Kubernetes APIs using
oc/kubectl(with theoc/kubectl execcommand) or theoc-oidcplugin.
Available to use now!
This feature is ready for use in your ROSA with hosted control planes clusters. Our documentation will guide you through the setup process. We encourage you to try it out and share your feedback with us. You can start here.
If you need further assistance, you can reach out to us through the following methods:
- OpenShift Commons Slack
- OpenShift users Kubernetes Slack channel
- Via your Red Hat account representative
We hope you enjoy using Red Hat OpenShift Service on AWS with hosted control planes and look forward to hearing your feedback.
