KubeSphere supports external authentication via Central Authentication Service (CAS), allowing users to log in to the KubeSphere web console using their CAS username and password.

Platform administrators can configure CAS authentication through a secret.

Steps

  1. Log in to the KubeSphere web console with a user who has the platform-admin role.

  2. Click Cluster Management and enter the host cluster.

  3. Click Configuration > Secrets in the left navigation pane.

  4. Click Create on the page.

  5. In the Create Secret dialog, click the Edit YAML toggle in the upper right corner to create the secret using YAML.

  6. Modify the YAML file according to the following example and parameter descriptions. After configuration, click Create.

  7. Log out of the KubeSphere web console. On the login page, click Log in with CAS, and enter your CAS username and password to log in.

Note

In a multi-cluster environment, configuration is only required in the host cluster.

CAS Basic Configuration

apiVersion: v1
kind: Secret
metadata:
  namespace: kubesphere-system  # Do not modify
  name: identity-provider-cas  # Ensure this Secret name is unique within the Kubernetes cluster
  labels:
    config.kubesphere.io/type: identityprovider # Do not modify
    config.kubesphere.io/identityprovider: cas # Must match the `name` field in configuration.yaml
type: config.kubesphere.io/identityprovider # Do not modify

stringData:
  configuration.yaml: |
    name: cas
    type: CASIdentityProvider
    mappingMethod: auto
    hidden: false
    disabled: false
    displayName: "cas"
    provider:
      # Required
      redirectURL: "https://your-app.com/cas/callback"
      casServerURL: "https://cas.example.com/cas"

CAS Full Configuration

The following only shows the configuration for the provider section under stringData:configuration.yaml. Other parts should remain the same as the corresponding parts in CAS Basic Configuration.

    provider:
      # Required
      redirectURL: "https://your-app.com/cas/callback"
      casServerURL: "https://cas.example.com/cas"

      # Optional
      insecureSkipVerify: false
      displayNameAttribute: "displayName"

CAS Parameter Description

This describes the parameters for the provider section under stringData:configuration.yaml. For descriptions of other parameters in the secret, please refer to Configure External Authentication.

Parameter Type Required Default Description

redirectURL

string

Yes

-

CAS client callback URL

casServerURL

string

Yes

-

Root URL of the CAS server

insecureSkipVerify

bool

No

false

Whether to skip TLS certificate verification

displayNameAttribute

string

No

-

Attribute name for the user’s display name