Enabling OIDC authentication for Karmada API server

[tw-mnewman]

What would you like to be added:

Hi folks, currently when installing Karmada using karmadactl/kubectl karmada/Helm there is no option to enable OpenID Connect (OIDC) based authentication for the Karmada API Servce.

I've tested manually adding the --oidc-* arguments to the kube-apiserver command used for karmada-apiserver, and it seems to work fine.

I'd love to see support for setting these parameters through the formally supported installation options.

Why is this needed:

A lot of companies (including my current client) have configured existing Kubernetes clusters using OIDC for workforce user authentication, this will allow users to interact with the Karmada API Server using the same method, reducing overhead of provisioning service accounts for teams.

[RainbowMango]

I think that generally looks good to me. Could you please elaborate on what args you are expecting? And would like to work on it?

[tw-mnewman]

Thanks Hongcai!

The full list of OIDC flags (from kube-apiserver docs) is

--oidc-ca-file string
--oidc-client-id string
--oidc-groups-claim string
--oidc-groups-prefix string
--oidc-issuer-url string
--oidc-required-claim <comma-separated 'key=value' pairs>
--oidc-signing-algs strings     Default: "RS256"
--oidc-username-claim string     Default: "sub"
--oidc-username-prefix string

I believe the minimum used by most installs would be --oidc-client-id, --oidc-groups-claim and --oidc-issuer-url, but it'd likely be best to expose them all unless that causes a lot of complexity.

I'm happy to take a look into implementation.

It would be great if aggregated API server supported this as well, though I guess that will be more complex, as it's not using the kube-apiserver binary.

[RainbowMango]

I believe the minimum used by most installs would be --oidc-client-id, --oidc-groups-claim and --oidc-issuer-url, but it'd likely be best to expose them all unless that causes a lot of complexity.

Sounds great!

[RainbowMango]

@tw-mnewman Is there anything needs to do with this issue?

[tw-mnewman]

@RainbowMango 👋 Since #6159, it's possible to enable OIDC when installing via Helm, but I don't think it's exposed in the other installation methods (e.g. karmadactl or the operator).

[RainbowMango]

Yeah, you are right. Thanks for the reminder. So, would you like to help?