docs: add warning about API server OIDC configuration#4641
docs: add warning about API server OIDC configuration#4641zyzzmohit wants to merge 1 commit intokubernetes-sigs:mainfrom
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: zyzzmohit The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/XS
There was a problem hiding this comment.
Pull request overview
Updates the in-cluster OIDC installation docs to clearly state that Headlamp OIDC login requires the Kubernetes API server to be configured to validate OIDC tokens, addressing a common setup gap reported in #4618.
Changes:
- Added an “Important” warning callout near the top of the OIDC in-cluster installation doc, with a link to the official Kubernetes OIDC token documentation.
- Removed an extra blank line in the Entra ID quick reference section.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Maybe what you have is ok and fine enough. But I’m a bit unclear about the conditions that bring people here. Maybe you can help me understand? How will people find this? What happens if it’s not? Maybe we can the error behavior here for folks to search for it. I’m also wondering if those docs are adequate for folks configuring a cloud k8s instance? Or is this not something they will encounter? Not like below(the details are probably wrong), but I think add the error condition they encounter to what you have and a note how to do this on a cloud provider is cloud provider specific (if it’s relevant at all to them?)
Or maybe what you have already is better, and these two things are not needed. |
|
@mlbiam this PR enough for the issue you reported? |
|
I wonder if we can add into an error message into headlamp when people encounter this something like: “Have you configured your api server? If not see: xxx” |
|
|
Thanks for the feedback @illume and @mlbiam! Great suggestions. I agree the warning can be more actionable. I'll update it to include: The specific API server flags (--oidc-issuer-url, --oidc-client-id, etc.) Regarding the in-app error message idea — I think that's a great enhancement and worth tracking separately. I can open a follow-up issue for detecting when OIDC token validation fails at the API server level and surfacing a helpful message like "Your cluster's API server may not be configured to accept OIDC tokens. See: [link]". Would that work, or would you prefer it as part of this PR? I'll push the docs update shortly! |
zyzzmohit
force-pushed
the
docs/issue-4618-oidc-warning
branch
from
8805de3 to
dd68c23
Compare
k8s-ci-robot
added
the
do-not-merge/invalid-commit-message
Updated the OIDC documentation warning to include: - Specific API server flags (--oidc-issuer-url, --oidc-client-id) - Error behavior users will encounter (401/403 errors) - Requirement for issuer and audience to match - Note about cloud provider-specific configuration - Link to API server OIDC configuration docs Related: 4618
zyzzmohit
force-pushed
the
docs/issue-4618-oidc-warning
branch
from
dd68c23 to
891c0cf
Compare
k8s-ci-robot
removed
the
do-not-merge/invalid-commit-message
|
I've updated the warning to be much more actionable. It now includes: That Headlamp calls Kubernetes APIs on the user's behalf, so the API server must validate the token Please take a look at the updated changes and let me know if anything else needs tweaking :) |
4 participants
Summary
This PR updates the OIDC installation documentation to explicitly state that the Kubernetes API server must be configured to accept OIDC tokens. This addresses confusion where users configure Headlamp for OIDC but forget the underlying cluster configuration.
Related Issue
Fixes #4618
Changes
docs/installation/in-cluster/oidc.mdlinking to the official Kubernetes OIDC documentation.Preview