Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


How to Enable Keystone Authentication in a Juju Cluster within a Kubernetes Environment


This topic covers Contrail Networking in Kubernetes-orchestrated environments that are using Contrail Networking Release 21-based releases.

Starting in Release 22.1, Contrail Networking evolved into Cloud-Native Contrail Networking. Cloud-Native Contrail Networking offers significant enhancements to optimize networking performance in Kubernetes-orchestrated environments. We recommend using Cloud-Native Contrail for networking in most Kubernetes-orchestrated environments.

For general information about Cloud-Native Contrail, see the Cloud-Native Contrail Networking Techlibrary homepage.

Starting in Contrail Networking Release 2011, Kubernetes can use the Keystone authentication service in Openstack for authentication in environments that contain cloud networks using Openstack and Kubernetes orchestrators when the Kubernetes environment is using Juju. This capability is available when the cloud networks are both using Contrail Networking and when the Kubernetes cluster was created in an environment using Juju.

This document discusses how to enable keystone authentication in Kubernetes environments and contains the following sections:

Overview: Keystone Authentication in Kubernetes Environments with a Juju Cluster

A cloud environment that includes Contrail clusters in Kubernetes-orchestrated environments and OpenStack-orchestrated environments can simplify authentication processes by having a single authentication service in place of each orchestrator authenticating separately. The ability for a Kubernetes-orchestrated environment to authenticate using the Keystone service from Openstack can provide this capability when the Kubernetes environment is using Juju.

Kubernetes is able to authenticate users using Keystone when the contrail-controller charm in Juju has relations with both an Openstack orchestrator and the Kubernetes orchestrator. The contrail-controller charm—when the Keystone service in Kubernetes is enabled—passes the credentials from Keystone to the contrail-kubernetes-master charm. The contrail-kubernetes-master charm then passes the Keystone parameters to kubemanager.

Both orchestrators use their native authentication processes by default. The ability for Kubernetes to use Keystone authentication in an environment using Juju was introduced in Contrail Networking Release 2011 and must be user-enabled.

How to Enable Keystone Authentication in a Kubernetes Environment

To enable Keystone authentication for Kubernetes:

  1. In Juju running in the Kubernetes cluster, add a relation between the kubernetes-master and Keystone and configure the Kubernetes master to use Keystone authorization:
  2. Ensure that IP Fabric Forwarding for the pod network in the default kube-system project is disabled and that SNAT is enabled. SNAT enablement is required to reach the Keystone service from the keystone-auth pod in Kubernetes.

    You can disable IP Fabric Forwarding and enable SNAT from the kubectl CLI or from the Tungsten Fabric GUI.

    • Kubectl:

      Navigate to kubectl edit ns default and add the following configuration:

    • Tungsten Fabric Graphical User Interface

      Change the appropriate settings in the Configure > Networking > Networks > default-domain > k8s-kube-system workflow.

  3. In Juju, apply the policy.json configuration:

    The JSON configuration varies by environment and the JSON configuration option descriptions are beyond the scope of this document.

    A sample JSON configuration file is provided for reference:

  4. Install client tools on the jumphost or an another node outside of the cluster.
  5. In Kubernetes, configure the Keystone context and set credentials:
  6. Apply the required settings to the environment:

    If preferred, you can also perform this step from stackrc.

  7. From kubectl, use the configuration to create a namespace from keystone authentication.