First Cloud, now Kubernetes – the integration of NWS-ID with our portfolio continues! As a next step, we will merge your Managed Kubernetes clusters with NWS-ID. Credit goes to Justin for extending our cluster stack with OpenID-Connect (OIDC), the base for NWS-ID!
How can you use your Kubernetes Cluster with NWS-ID?
All you need is kubelogin, a plugin for kubectl, and a customized kubeconfig, which can be downloaded in the NWS Customer Interface. But: this applies to newly started clusters only. Older installations need some action from you! Let’s go and see, what other scenarios there are!
If you have a cluster running with a Kubernetes v1.23 or greater, just enable NWS-ID in the Customer Interface. This will restart the kube-apiserver with some new parameters which will authenticate your requests against NWS-ID using OpenID-Connect.
For clusters in version v1.22 or less you need to update your cluster at least to v1.23 and enable NWS-ID in the Customer Interface. After your cluster is ready for NWS-ID you need to pimp your kubectl for OpenID-Connect.
kubectl and kubelogin
kubelogin is a plugin for kubectl, which enables authentication via OIDC. It is easily installed with brew, krew, choco or Github Releases as described in the official documentation. After the installation, just download your kubeconfig for NWS-ID from the Customer Interface and start using kubectl as usual!
If you have multiple Managed Kubernetes clusters it is easy to switch the context with kubectl config use-context MyCluster.
Permissions and Roles
If you’re not an admin in your organization, they must authorize your NWS-ID. This happens as usual in the user group management in the Customer Interface. As admin you can grant two different roles to your colleagues. Choose between admin and reader which will be mapped the to corresponding Kubernetes cluster role.
If you need some more detailed help, just have a look into our docs for User and Groups and Permissons.
What are the advantages of integrating our Managed Kubernetes with NWS-ID?
Combining these two services makes your daily work easier, because now you can:
- use a single login for the NWS Customer Interface, the Cloud Interface and your Kubernetes clusters
- effortless switch between your Managed Kubernetes clusters with a single kubeconfig
- use two-factor authentication for your Kubernetes clusters
- authorise your colleagues to access your clusters in the NWS-ID group management
What happens to the existing certificate authentication?
The authentication with the X509 client certificate is still available for everybody with the appropriate permissions in your organization.
Thanks again to Justin for expanding our Kubernetes stack! If you have any questions along the way, please feel free to contact us – we’re always there to help answer any open questions.