kubeone.yaml

apiVersion: kubeone.io/v1beta1
kind: KubeOneCluster

versions:
  kubernetes: '1.19.3'

cloudProvider:
  hetzner: {}
  external: true

features:
  staticAuditLog:
    enable: true
    config:
      policyFilePath: manifests/audit-policy.yaml

  openidConnect:
    enable: true
    config:
      # The URL of the OpenID issuer, only HTTPS scheme will be accepted. If
      # set, it will be used to verify the OIDC JSON Web Token (JWT).
      issuerUrl: "https://dex.controlplane.example.com/dex"
      # The client ID for the OpenID Connect client, must be set if
      # issuer_url is set.
      clientId: "kubernetes"
      # The OpenID claim to use as the user name. Note that claims other than
      # the default ('sub') is not guaranteed to be unique and immutable. This
      # flag is experimental in kubernetes, please see the kubernetes
      # authentication documentation for further details.
      usernameClaim: "preferred_username"
      # If provided, all usernames will be prefixed with this value. If not
      # provided, username claims other than 'email' are prefixed by the issuer
      # URL to avoid clashes. To skip any prefixing, provide the value '-'.
      usernamePrefix: "oidc:"
      # If provided, the name of a custom OpenID Connect claim for specifying
      # user groups. The claim value is expected to be a string or array of
      # strings. This flag is experimental in kubernetes, please see the
      # kubernetes authentication documentation for further details.
      groupsClaim: "groups"
      # If provided, all groups will be prefixed with this value to prevent
      # conflicts with other authentication strategies.
      groupsPrefix: "oidc:"