Does Rancher support workload identity federation Rancher Users #rke2

Join Slack

Does Rancher support workload identity federation?

# rke2

curved-computer-70559

05/30/2025, 8:01 PM

Does Rancher support workload identity federation?

creamy-pencil-82913

05/30/2025, 8:14 PM

Rancher? Or RKE2?

creamy-pencil-82913

05/30/2025, 8:15 PM

and… federation with what?

curved-computer-70559

05/30/2025, 8:39 PM

I'm not on the infra team so I don't even know what the difference between rancher and rke2 is. We have an onprem k8s cluster using rancher (just moved from a kubespray managed cluster). We want to enable workload identity with azure so our pods can authenticate to azure resources using a token we don't have to manage and no creds to issue to the pods. We do this in AKS and want to enable it in our onprem cluster as well. Currently the issuer on the k8s jwt is 'https://kubernetes.default.svc.cluster.local' but I believe this needs to be a valid url where azure ad validation could fetch the keys to validate the token.

curved-computer-70559

05/30/2025, 8:41 PM

### ✅ Step 2: Enable OIDC Issuer in Kubernetes API Server Ensure your Rancher-managed Kubernetes cluster is configured with: -

--service-account-issuer=https://<your-cluster-issuer-url>

--service-account-signing-key-file=/path/to/private.key

This exposes the OIDC discovery endpoint required for Azure to trust your cluster as an identity provider.

curved-computer-70559

05/30/2025, 8:42 PM

That's causing issues for our infra team. So I'm just curious if this is even possible. Our infra team is saying it's not currently possible and they have to issue a request to the SUSE team to get it on the roadmap. Copilot thinks it's possible. 😄

creamy-pencil-82913

05/30/2025, 11:27 PM

Rancher is a cluster and workload management application that runs on Kubernetes and can provision Kubernetes clusters and manage applications deployed to those clusters. RKE2 is a Kubernetes distribution - a collection of components that provide a working Kubernetes cluster. Kubespray is another Kubernetes distro.

creamy-pencil-82913

05/30/2025, 11:28 PM

So, you’d need to figure out what distribution you’re using, and work from there.

curved-computer-70559

06/02/2025, 5:17 PM

rke2 is the distro

curved-computer-70559

06/02/2025, 5:24 PM

Copy code

We have an confirmation from suse that rancher, or rke2 or rke any of this distro does not support workload identity, i am working with vendor on  opening ticket with their engineering team on how can we get it supported

curved-computer-70559

06/02/2025, 5:24 PM

That was the note from our infra team.

15 Views

Open in Slack

Previous Next