OIDC Rancher Desktop

Thu Jul 17 2025 · json · rss

Subscribe:

RSS

JSON

About

Rancher Desktop provides "provisioning scripts" to customize Rancher Desktop installations on Windows. ( source )

The following examples use GitLab as the basis.

Prerequisite:

Create a Gitlab application: https://docs.gitlab.com/integration/oauth_provider/

To add OIDC to Rancher Desktop on Windows

Create a file under the provisioning directory:

C:\Users\your-user-folder-here\AppData\Local\rancher-desktop\provisioning\00-OIDC-Setup.start

File Contents should be similar to the following

#!/bin/sh   
mkdir -p /etc/rancher/k3s/config.yaml.d/   
cat > /etc/rancher/k3s/config.yaml.d/OIDC.yaml <<EOF   
kube-apiserver-arg:    
- "oidc-client-id=xxxxxxxxxxxx"    
- "oidc-groups-claim=groups_direct"    
- "oidc-issuer-url=https://gitlab.com"    
- "oidc-username-claim=preferred_username"    
- "oidc-groups-prefix=customvalue:"    
- "oidc-username-prefix=customvalue:"   
EOF

groups_direct is a key within the Gitlab OIDC token. By using the oidc-groups-claim flag, the kube-api server will grab a value found in the groups_direct key from the Gitlab OIDC token. If you're using a different provider, use a claim from the provider's token. preferred_username is another value from GitLab's token.

customvalue can be any string. It'll be used to match OIDC operations to a ClusterRoleBinding

Set up a ClusterRoleBinding and ClusterRole ( The ClusterRole is optional: you could use the built in roles- but not the best practice. )
Documentation on ClusterRoles and ClusterRoleBindings: Using RBAC Authorization

Example: where the customvalue was set to no1llc, and the user is part of a group partners and the subgroup founder. The values after the username and group prefixes MUST be matched to the token. ( note: [Group/User] should be Group or User. )

subjects:   
- kind: [Group/User]  
  name: "no1llc:partners/founder"   
  apiGroup: rbac.authorization.k8s.io   
# or where user's username is gnoejuan and customvalue was "me"   
subjects:   
- kind: [Group/User]   
  name: "me:gnoejuan"   
  apiGroup: rbac.authorization.k8s.io

If there is no subgroup, the value will simply be the group.

Example "no1llc:partners"