Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
f
freezing-hairdresser-79403
04/26/2023, 12:37 PMI would like to know if Rancher has the ability to retrieve user groups from an external identity provider and import them to the local Rancher cluster.
w
worried-doctor-71696
04/26/2023, 3:27 PMit at least works with okta. we use it to pull okta groups into rancher. after adding okta integration, our okta groups were available from the drop-down on the "Cluster Member: Add" page of the rancher ui. we did this a few years ago, and iirc, there was some wonkiness like the user adding the cluster member had to be part of the okta group he/she wanted to add for rancher to be able to query okta for that group. hopefully, the process has been improved since then.
f
freezing-hairdresser-79403
04/26/2023, 3:41 PMI find myself in a this situation, where the user who is adding a cluster member is also a member of the group that I want to add
Were you able to display the list of users in the user group of your Okta ?
Sorry, my question not clear enough
Were you able to view the list of users within your Okta group in the user group of your Rancher cluster
w
worried-doctor-71696
04/26/2023, 4:04 PMah. no i don't think we have that ability. your use case may be different from ours, but we just add entire okta groups as cluster members then assign them to namespaces, etc. when a user on one of the allowed groups logs into rancher, they login as themselves and rancher and okta figure out what group they belong to and if that group is a cluster member. if so, they can log into the console.
membership to rancher is handled through okta groups for the most part. that said, we have had to set up individual "local" users tho, because we usually just give the groups "Cluster View" or "Cluster Member privileges. if an individual really needs admin privs, it's treated as a one-off.
f
freezing-hairdresser-79403
04/26/2023, 4:19 PMBased on previous information shared, it seems that Rancher may only import the groups from the external identity provider that corresponds to the user who made the integration. This means that any new groups that are created within the external identity provider and not associated with the user who made the integration may not be visible in Rancher
Please correct me if I am wrong
w
worried-doctor-71696
04/26/2023, 4:30 PMinteresting. that's not the case from our experience. i wasn't the one who initially set up the okta integartion, but i'm fairly certain he wasn't a member of all the groups we've added to rancher at the time or any of the new groups we've added that didn't exist at the time. in the handful of instances i had to add new groups to rancher myself, i would first have to add myself to the okta group (until i added the group to rancher). i did have to make sure to log out of rancher and log back in so rancher could re-query okta and see my new group membership.
also, i was incorrect when i mentioned we didn't add individual users. i found a cluster where we have one user in the cluster members list tagged as an "Okta User", tho i'm not sure how that was done, unfortunately. 😞