[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Authentication with Client Certificates



It is possible, but you have to very careful what you sign.  Client certificates operate directly against API server and provide a User, not an Identity (see https://docs.openshift.org/latest/architecture/additional_concepts/other_api_objects.html#user-objects for the distinction between them).  

If you take a look here: https://docs.openshift.org/latest/install_config/master_node_configuration.html, you can find the `servingInfo.clientCA` element.  That controls which CA is trusted to sign client certificates that are presented to the API server.  If you sign a cert containing `Organization`, that will be considered the effective groups for the User. You can add your client certificates to your ~/.kube/config file (equivalent of `oc login`) by running `oc config set-credentials`.

Jordan can probably tell you if they work for the console.

On Mon, Nov 16, 2015 at 6:20 AM, Fran Barrera <franbarrera6 gmail com> wrote:
Hello,

We need to configure Openshift for allow authentication with client certificates. We are reading this doc (https://docs.openshift.org/latest/install_config/configuring_authentication.html) but we don't see anything.

If it is possible, what are options that would work? CLI, Web Console, API?

Best Regards,
Fran.

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]