From 3fab1ebe8b0a8b4f58bed79819143e974e1712cb Mon Sep 17 00:00:00 2001 From: Max Goltzsche Date: Mon, 20 Apr 2026 14:51:25 +0200 Subject: [PATCH] KKP AuthenticationConfiguration support Signed-off-by: Max Goltzsche --- .../kkp-security/securing-system-services/_index.en.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/kubermatic/main/architecture/concept/kkp-concepts/kkp-security/securing-system-services/_index.en.md b/content/kubermatic/main/architecture/concept/kkp-concepts/kkp-security/securing-system-services/_index.en.md index d7443e905..4ba2959e2 100644 --- a/content/kubermatic/main/architecture/concept/kkp-concepts/kkp-security/securing-system-services/_index.en.md +++ b/content/kubermatic/main/architecture/concept/kkp-concepts/kkp-security/securing-system-services/_index.en.md @@ -161,6 +161,9 @@ It's possible to use a different authentication provider than Dex. Please refer [OIDC provider]({{< ref "../../../../../tutorials-howtos/oidc-provider-configuration" >}}) chapter for more information on how to configure KKP and OAuth2-Proxy accordingly. +Alternatively, if you want to configure a different or additional JWT identity provider for your user cluster API server(s), you can define an [AuthenticationConfiguration](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration) file within a Kubernetes Secret and refer to it within the Seed's `spec.authenticationConfiguration` or, to configure it per datacenter, within the Seed's `spec.datacenters.spec.authenticationConfiguration` or within the Cluster's `spec.authenticationConfiguration` directly. +The AuthenticationConfiguration precedence order is as follows: 1. Cluster, 2. Datacenter, 3. Seed. + ## Security Considerations The IAP does not protect services against access from within the cluster. Sensitive services should therefore