OIDC Rancher Desktop

The following examples use GitLab as an example.

To add OIDC to Rancher Desktop on Windows

• Create a file under the provisioning directory:

C:\Users\your-user-folder-here\AppData\Local\rancher-desktop\provisioning\00-OIDC-Setup.start 

• File Contents should be similar to the following

#!/bin/sh   
mkdir -p /etc/rancher/k3s/config.yaml.d/   
cat > /etc/rancher/k3s/config.yaml.d/OIDC.yaml <<EOF   
kube-apiserver-arg:    
- "oidc-client-id=xxxxxxxxxxxx"    
- "oidc-groups-claim=groups_direct"    
- "oidc-issuer-url=https://gitlab.com"    
- "oidc-username-claim=preferred_username"    
- "oidc-groups-prefix=customvalue:"    
- "oidc-username-prefix=customvalue:"   
EOF

groups_direct will grab a value found in the token from GitLab. If you're using a a different provider, use a claim from the provider's token. preferred_username is another value from GitLab's token.

customvalue can be any string. It'll be used to match OIDC operations to a ClusterRoleBinding

• Set up a ClusterRoleBinding and ClusterRole ( CR optional: you could use the built in roles- but not the best practice. )

Example: where customvalue is no1llc and the user is part of a group partners and the subgroup founder. The values after the username and group prefix MUST be matched to the token.

subjects:   
- kind: [Group/User]  
  name: "no1llc:partners/founder"   
  apiGroup: rbac.authorization.k8s.io   
# or where user's username is gnoejuan and customvalue was "me"   
subjects:   
- kind: [Group/User]   
  name: "me:gnoejuan"   
  apiGroup: rbac.authorization.k8s.io

If there is no subgroup, the value will simply be the group.

Example "no1llc:partners"