Skip to content

docs: add warning about API server OIDC configuration#4641

Open
zyzzmohit wants to merge 1 commit intokubernetes-sigs:mainfrom
zyzzmohit:docs/issue-4618-oidc-warning
Open

docs: add warning about API server OIDC configuration#4641
zyzzmohit wants to merge 1 commit intokubernetes-sigs:mainfrom
zyzzmohit:docs/issue-4618-oidc-warning

Conversation

@zyzzmohit
Copy link
Contributor

@zyzzmohit zyzzmohit commented Feb 8, 2026

Summary

This PR updates the OIDC installation documentation to explicitly state that the Kubernetes API server must be configured to accept OIDC tokens. This addresses confusion where users configure Headlamp for OIDC but forget the underlying cluster configuration.

Related Issue

Fixes #4618

Changes

  • Added an "Important" warning note to docs/installation/in-cluster/oidc.md linking to the official Kubernetes OIDC documentation.

Preview

⚠️ Important: For Headlamp's OIDC authentication to work, your Kubernetes cluster's API server must also be configured to accept OIDC tokens. Headlamp handles the user login flow, but the cluster validates the resulting token. See the Kubernetes documentation on OIDC tokens for details.

@zyzzmohit
docs: add warning about API server OIDC configuration
8805de3 
Signed-off-by: zyzzmohit <mohitray949@gmail.com>
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 8, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: zyzzmohit
Once this PR has been reviewed and has the lgtm label, please assign yolossn for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested a review from illume February 8, 2026 09:37
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Feb 8, 2026
@k8s-ci-robot k8s-ci-robot requested a review from sniok February 8, 2026 09:37
@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Feb 8, 2026
@illume illume requested a review from Copilot February 8, 2026 12:04
Copilot AI reviewed Feb 8, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the in-cluster OIDC installation docs to clearly state that Headlamp OIDC login requires the Kubernetes API server to be configured to validate OIDC tokens, addressing a common setup gap reported in #4618.

Changes:

  • Added an “Important” warning callout near the top of the OIDC in-cluster installation doc, with a link to the official Kubernetes OIDC token documentation.
  • Removed an extra blank line in the Entra ID quick reference section.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zyzzmohit
Copy link
Contributor Author

zyzzmohit commented Feb 15, 2026

@illume @sniok
Friendly bump! 👋 Just checking in — this is a small docs-only change (2 lines) adding an important warning about API server OIDC configuration, which addresses the confusion reported in #4618. Would appreciate a review when you get a chance. Thanks :)

@illume
Copy link
Contributor

illume commented Feb 15, 2026

Maybe what you have is ok and fine enough. But I’m a bit unclear about the conditions that bring people here. Maybe you can help me understand?

How will people find this? What happens if it’s not? Maybe we can the error behavior here for folks to search for it.

I’m also wondering if those docs are adequate for folks configuring a cloud k8s instance? Or is this not something they will encounter?

Not like below(the details are probably wrong), but I think add the error condition they encounter to what you have and a note how to do this on a cloud provider is cloud provider specific (if it’s relevant at all to them?)

⚠️ Important: For Headlamp’s OIDC authentication to work, your Kubernetes API server must be configured to accept and validate OIDC tokens (for example by setting --oidc-issuer-url, --oidc-client-id, and the username/groups claims). Headlamp performs the login flow and returns a token, but the API server validates that token. If the API server is not configured, Headlamp’s login may succeed but subsequent API calls will be rejected with 401/403 errors. See the Kubernetes OIDC docs (link) and your cloud provider’s guidance for details.

Or maybe what you have already is better, and these two things are not needed.

@illume
Copy link
Contributor

illume commented Feb 15, 2026

@mlbiam this PR enough for the issue you reported?

@illume
Copy link
Contributor

illume commented Feb 15, 2026

I wonder if we can add into an error message into headlamp when people encounter this something like: “Have you configured your api server? If not see: xxx”

@mlbiam
Copy link
Contributor

mlbiam commented Feb 15, 2026

@illume

  1. +1 for an error message that tells the user that the cluster isn't integrated
  2. I'd recommend starting with that headlamp calls kubernetes APIs on the user's behalf, so the token must be accepted by kubernetes. Also include that the issuer and audience must be the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@illume illume Awaiting requested review from illume

@sniok sniok Awaiting requested review from sniok

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

docs: oidc needs some explanation of what needs to be configured on the API server

4 participants

@zyzzmohit @k8s-ci-robot @illume @mlbiam