$ oc -n stackrox set env deploy/central ROX_ENABLE_OPENSHIFT_AUTH=true
OpenShift Container Platform includes a built-in OAuth server that you can use as an authentication provider for Red Hat Advanced Cluster Security for Kubernetes (RHACS).
To integrate the built-in OpenShift Container Platform OAuth server as an identity provider for Red Hat Advanced Cluster Security for Kubernetes (RHACS) use the instructions in this section.
You must have the AuthProvider
permission to configure identity providers in RHACS.
You must have already configured users and groups in OpenShift Container Platform OAuth server through an identity provider. For information about the identity provider requirements, see Understanding identity provider configuration.
The following procedure configures only a single main route named |
On the RHACS portal, navigate to Platform Configuration → Access Control.
Open the Add an Auth Provider menu and select OpenShift Auth.
Enter a name for the authentication provider in the Name field.
Choose a Minimum access role for users accessing RHACS by using the selected identity provider.
For security, Red Hat recommends setting the Minimum access role to None while you complete setup. Later, you can return to the Access Control page to set up more tailored access rules based on user metadata from your identity provider. |
To add access rules for users and groups accessing RHACS, use the Rules section. For example:
To give the Admin role to a user called administrator
, you can use the following key-value pairs to create access rules:
Key |
Value |
Name |
administrator |
Role |
Admin |
If you are using the HTPasswd Identity Provider with the username UserA
that is part of the group GroupA
, you can use the following key-value pairs to create access rules:
Key |
Value |
Name |
UserA |
Group |
GroupA |
UserID |
<UUID> |
Click Save.
|
When you configure OpenShift Container Platform OAuth server as an identity provider by using Red Hat Advanced Cluster Security for Kubernetes portal, RHACS configures only a single route for the OAuth server. However, you can create additional routes by specifying them as annotations in the Central custom resource.
You must have configured Service accounts as OAuth clients for your OpenShift Container Platform OAuth server.
If you installed RHACS using the RHACS Operator:
Create a CENTRAL_ADDITIONAL_ROUTES
environment variable that contains a patch for the Central custom resource:
$ CENTRAL_ADDITIONAL_ROUTES='
spec:
central:
exposure:
loadBalancer:
enabled: false
port: 443
nodePort:
enabled: false
route:
enabled: true
persistence:
persistentVolumeClaim:
claimName: stackrox-db
customize:
annotations:
serviceaccounts.openshift.io/oauth-redirecturi.main: sso/providers/openshift/callback (1)
serviceaccounts.openshift.io/oauth-redirectreference.main: "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"central\"}}" (2)
serviceaccounts.openshift.io/oauth-redirecturi.second: sso/providers/openshift/callback (3)
serviceaccounts.openshift.io/oauth-redirectreference.second: "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"second-central\"}}" (4)
'
1 | The redirect URI for setting the main route. |
2 | The redirect URI reference for the main route. |
3 | The redirect for setting the second route. |
4 | The redirect reference for the second route. |
Apply the CENTRAL_ADDITIONAL_ROUTES
patch to the Central custom resource:
$ oc patch centrals.platform.stackrox.io \
-n <namespace> \ (1)
<custom-resource> \ (2)
--patch "$CENTRAL_ADDITIONAL_ROUTES" \
--type=merge
1 | Replace <namespace> with the name of the project that contains the Central custom resource. |
2 | Replace <custom-resource> with the name of the Central custom resource. |
Or, if you installed RHACS using helm:
Add the following annotations to your values-public.yaml
file:
customize:
central:
annotations:
serviceaccounts.openshift.io/oauth-redirecturi.main: sso/providers/openshift/callback (1)
serviceaccounts.openshift.io/oauth-redirectreference.main: "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"central\"}}" (2)
serviceaccounts.openshift.io/oauth-redirecturi.second: sso/providers/openshift/callback (3)
serviceaccounts.openshift.io/oauth-redirectreference.second: "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"second-central\"}}" (4)
1 | The redirect for setting the main route. |
2 | The redirect reference for the main route. |
3 | The redirect for setting the second route. |
4 | The redirect reference for the second route. |
Apply the custom annotations to the Central custom resource by using helm upgrade
:
$ helm upgrade -n stackrox \
stackrox-central-services rhacs/central-services \
-f <path_to_values_public.yaml> (1)
1 | Specify the path of the values-public.yaml configuration file using the -f option. |