Im using mimikube for test, I would like to know if the username can be used instead of the sub provided by oidc provider
minikube start --extra-config=apiserver.authorization-mode=RBAC,Node \
--extra-config=apiserver.oidc-issuer-url=$ISSUER_URL \
--extra-config=apiserver.oidc-client-id=$CLIENT_ID \
--extra-config=apiserver.oidc-username-claim=sub
then I configure kubelogin
kubectl oidc-login setup \
--oidc-issuer-url=$ISSUER_URL \
--oidc-client-id=$CLIENT_ID \
--oidc-client-secret=$CLIENT_SECRET
Then the application provides me the next steps
## 2. Verify authentication
You got a token with the following claims:
{
"iss": REDACTED,
"sub": REDACTED_SUB,
"aud": REDACTED,
"iat": REDACTED,
"exp": REDACTED,
"nonce": REDACTED
}
## 3. Bind a cluster role
Run the following command:
kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user=REDACTED_SUB
## 4. Set up the Kubernetes API server
Add the following options to the kube-apiserver:
--oidc-issuer-url=REDACTED
--oidc-client-id=REDACTED
## 5. Set up the kubeconfig
Run the following command:
kubectl config set-credentials oidc \
--exec-api-version=client.authentication.k8s.io/v1beta1 \
--exec-command=kubectl \
--exec-arg=oidc-login \
--exec-arg=get-token \
--exec-arg=--oidc-issuer-url=ISSUER_URL \
--exec-arg=--oidc-client-id=CLIENT_ID \
--exec-arg=--oidc-client-secret=CLIENT_SECRET
## 6. Verify cluster access
Make sure you can access the Kubernetes cluster.
kubectl --user=oidc get nodes
You can switch the default context to oidc.
kubectl config set-context --current --user=oidc
if I set the step 3 with username oidc instead of REDACTED_SUB I get this error
Error from server (Forbidden): nodes is forbidden: User REDACTED_SUB cannot list resource "nodes" in API group "" at the cluster scope
How can I use the username instead of REDACTED_SUB?
Set the subject name in your OIDC to "oidc" it should work. Otherwise you are using a name that; when K8s asks your OIDC to authenticate, your OIDC doesn't recognize that name (subject).