Add an addition OIDC provider to an omni managed cluster for user auth #1504

gnur · 2025-09-03T07:29:34Z

gnur
Sep 3, 2025

For a customer we're looking into setting up a self-hosted Omni instance and rolling out client clusters (for other teams).

One of the things we'd like to do is use our existing authentication and authorization setup that uses dex with an auth backend. Is it possible to configure dex as an additional OIDC authentication source in an omni managed cluster?

I've found the Strucuted Auth Config and this article https://blog.palark.com/kubernetes-structured-authentication-config-explained/ seems to suggest that it is possible, but what steps would need to be taken to make this work in an Omni cluster?

Is this even possible and is there any guide available on how to do this?

//edit: I'm aware that with omni itself it is possible to almost reach feature parity with this setup, however the client clusters should not be dependent on Omni for user auth.

Unix4ever · 2025-09-10T12:17:53Z

Unix4ever
Sep 10, 2025
Maintainer

Currently Omni always takes the role of OIDC provider for Kubernetes access.
I don't think there are any blockers for using external OIDC provider instead, but of course we'll need to change Omni code to support that kind of operation mode.

0 replies

smira · 2025-09-10T12:41:54Z

smira
Sep 10, 2025
Maintainer

Also when you access Kubernetes API via Omni, Omni impersonates to Kubernetes as the user performing the operation and a base role. So you can bind Kubernetes RBAC to the user pretty much same way as you do it with Dex. Dex shouldn't offer anything that Omni Kubernetes access already does.

1 reply

gnur Sep 11, 2025
Author

It's not about the featureset of Omni / Kubernetes RBAC, but more about not being dependent on a self-hosted omni for kubernetes access.

smira · 2025-09-12T10:17:26Z

smira
Sep 12, 2025
Maintainer

When you skip Omni, you also skip Kubernetes API load-balancer, so this should be something you manage outside of Omni.

With that said, nothing should prevent you from plugging in OIDC auth.

If you have some specific steps you need to take, and you need help to do that with Omni, please point us towards these steps.

If there is something on Omni side which blocks you from doing so, we can dig into that.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add an addition OIDC provider to an omni managed cluster for user auth #1504

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 3 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Add an addition OIDC provider to an omni managed cluster for user auth #1504

Uh oh!

Uh oh!

gnur Sep 3, 2025

Replies: 3 comments · 1 reply

Uh oh!

Uh oh!

Unix4ever Sep 10, 2025 Maintainer

Uh oh!

smira Sep 10, 2025 Maintainer

Uh oh!

gnur Sep 11, 2025 Author

Uh oh!

smira Sep 12, 2025 Maintainer

gnur
Sep 3, 2025

Replies: 3 comments 1 reply

Unix4ever
Sep 10, 2025
Maintainer

smira
Sep 10, 2025
Maintainer

gnur Sep 11, 2025
Author

smira
Sep 12, 2025
Maintainer