Configure External Authentication

Time updated：2025-12-22 09:26:17

KubeSphere supports setting up external authentication. Platform administrators can configure identity providers through secrets.

After configuring an external identity provider, users can log in to the KubeSphere web console using their LDAP, CAS, GitHub, Alibaba Cloud IDaaS, or OpenID Connect username and password.

Steps

Log in to the KubeSphere web console with a user who has the platform-admin role.
Click Cluster Management and enter the host cluster.
Click Configuration > Secrets in the left navigation pane.
Click Create on the page.
In the Create Secret dialog box, click the Edit YAML switch in the upper right corner to create the secret using YAML.
Modify the YAML file according to the following examples and configuration instructions. After configuration is complete, click Create.
Log out of the KubeSphere web console. On the login page, enter the username and password for the configured external authentication type (LDAP, CAS, GitHub, Alibaba Cloud IDaaS, or OpenID Connect) to log in.

Note
In a multi-cluster environment, configuration is only required in the host cluster.

Note

In a multi-cluster environment, configuration is only required in the host cluster.

OpenLDAP Example YAML

apiVersion: v1
kind: Secret
metadata:
  namespace: kubesphere-system  # Do not modify
  name: identity-provider-ldap  # Ensure this Secret name is unique within the Kubernetes cluster
  labels:
    config.kubesphere.io/type: identityprovider # Do not modify
    config.kubesphere.io/identityprovider: openldap # Must match the `name` field in configuration.yaml
type: config.kubesphere.io/identityprovider # Do not modify

stringData:
  configuration.yaml: |
    name: openldap
    type: LDAPIdentityProvider
    mappingMethod: auto
    hidden: false
    disabled: false
    displayName: "Third-party login for LDAP"
    provider:
      host: "192.168.0.2:389"
      managerDN: uid=root,cn=users,dc=nas
      managerPassword: "********"
      userSearchBase: cn=users,dc=nas
      loginAttribute: uid
      mailAttribute: mail
      displayNameAttribute: displayName

Attention

Attention
The secret must be created in the `kubesphere-system` project. The secret must contain the label. `config.kubesphere.io/type: identityprovider` The secret must contain the type. `type: config.kubesphere.io/identityprovider`

The secret must be created in the kubesphere-system project.
The secret must contain the label.

config.kubesphere.io/type: identityprovider
The secret must contain the type.

type: config.kubesphere.io/identityprovider

Parameter Description

For the stringData:configuration.yaml parameters in the example above:

name: Specifies the name of the external authentication. It must be unique; otherwise, creation will fail. Must match the value of config.kubesphere.io/identityprovider in the labels.
type: Specifies the type of external authentication. The following types are supported:
- LDAP: LDAPIdentityProvider
- CAS: CASIdentityProvider
- GitHub: GitHubIdentityProvider
- Alibaba Cloud IDaaS: AliyunIDaaSProvider
- OpenID Connect: OIDCIdentityProvider
mappingMethod: Specifies how external identity users are associated with KubeSphere users.
- auto: Automatically creates a KubeSphere user with the same name. Creation fails if a user with that name already exists on the platform.
- manual: Creates a new user with an arbitrary name after login.
- lookup: Automatically associates with an existing KubeSphere user with the same name. If no user with that name exists, the association fails.
hidden: Whether to hide the frontend login option. Default is false.
disabled: Whether to disable this login method. Default is false.
displayName: The display name for the login option.
provider: Identity provider information. The identity provider authenticates users and provides identity tokens to KubeSphere. Below are example provider parameters for different identity providers.
- LDAPIdentityProvider
  
  host: 192.168.0.2:389 managerDN: uid=root,cn=users,dc=nas managerPassword: "********" userSearchBase: cn=users,dc=nas loginAttribute: uid mailAttribute: mail
  
  For more configuration information about LDAP, please refer to LDAP/LDAPS Authentication.
- OIDCIdentityProvider
  
  issuer: https://accounts.google.com clientID: "your-client-id" clientSecret: "your-client-secret" redirectURL: "https://your-app.com/oauth/callback"
  
  For more configuration information about OIDC, please refer to OIDC Authentication.
- CASIdentityProvider
  
  redirectURL: "https://your-app.com/cas/callback" casServerURL: "https://cas.example.com/cas"
  
  For more configuration information about CAS, please refer to CAS Authentication.
- GitHubIdentityProvider
  
  clientID: '******' clientSecret: '******' redirectURL: 'https://ks-console/oauth/redirect/github'
- For the configuration method of the Alibaba Cloud IDaaS identity provider, please refer to the Alibaba Cloud IDaaS documentation.