Merge pull request #737 from jvanz/user-sessions

Warning about multiples kubeconfig with the same user
SUSE · Mar 16, 2020 · 582964a · 582964a
2 parents 7dd3a45 + a986885
commit 582964a
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 1 deletion.
diff --git a/adoc/admin-security-rbac.adoc b/adoc/admin-security-rbac.adoc
@@ -163,6 +163,34 @@ NOTE: Before any add-on upgrade, please backup any runtime configuration changes
 login username and password.
 . The kubeconfig `kubeconf.txt` is generated locally.
 
+===== OIDC Tokens
+
+The kubeconfig file (`kubeconf.txt`) contains the OIDC tokens necessary to perform authentication and authorization in the cluster.
+OIDC tokens have an *expiration date* which means that they need to be refreshed after some time.
+If you use the *same user in multiples kubeconfig files* distributed among multiple machines,
+this can lead to issues, because only one of the machines will be able to refresh the token.
+The user will be able to download multiple kubeconfig files, but they will only work until one of them needs to refresh the session.
+After that, only one machine will work, namely the first machine which refreshed the token.
+
+*A workaround for this issue* is using multiple users for different kubeconfig
+files. See how to add more users in <<_sec.admin.security.users.add>>.
+You can also check information about the user and the respective OIDC tokens in the kubeconfig file under the `users` section:
+
+-----
+users:
+- name: myuser
+  user:
+    auth-provider:
+      config:
+        client-id: oidc
+        client-secret: <SECRET>
+        id-token:  <ID_TOKEN>
+        idp-issuer-url: https://<IP>:<PORT>
+        refresh-token: <REFRESH_TOKEN>
+      name: oidc
+-----
+
+
 ==== Access {kube} Resources
 
 The user can now access resources in the authorized `<NAMESPACE>`.

diff --git a/adoc/admin-security-user-group-management.adoc b/adoc/admin-security-user-group-management.adoc
@@ -1,3 +1,5 @@
+[[_sec.admin.security.users]]
+
 = Managing Users and Groups
 
 You can use standard LDAP administration tools for managing organizations, groups and users remotely.
@@ -107,6 +109,7 @@ DS_DM_PASSWORD=                                 # Admin Password
 ldapmodify -v -H <LDAP_PROTOCOL>://<LDAP_NODE_FQDN><LDAP_NODE_PROTOCOL> -D "<BIND_DN>" -f <LDIF_FILE> -w <DS_DM_PASSWORD>
 ----
 
+[[_sec.admin.security.users.add]]
 === Adding a New User
 
 . To add a new user, create an LDIF file (`new_user.ldif`) like this:
@@ -292,4 +295,4 @@ DS_DM_PASSWORD=                                     # Old Password
 NEW_DS_DM_PASSWORD=                                 # New Password
 
 ldappasswd -v -H <LDAP_PROTOCOL>://<LDAP_NODE_FQDN><LDAP_NODE_PROTOCOL>  -x -D "<BIND_DN>" -w <DS_DM_PASSWORD> -a <DS_DM_PASSWORD> -s <NEW_DS_DM_PASSWORD>
-----
+----