Kube-apiserver and oidc

Hi there,
I have a cluster deployed with rancher 2.0 and everything goes ok. I can configure my users and kubeconfigs to manage the cluster.
Now I would like to use an Oauth2 provider to give these users access to the cluster. After reading some documentation, I have my keycloak and client ready to be used by Kuberentes.
In theory I should make something like:

kube-apiserver  --oidc-issuer-url=KEYCLOAK_REALM_PROVIDER_URL  \
                          --oidc-client-id=Kubernetes  \
                          --oidc-username-claim=name \

But I have this estrange error:

W0311 14:13:11.683745  165882 services.go:37] No CIDR for service cluster IPs specified. Default value which was is deprecated and will be removed in future releases. Please specify it using --service-cluster-ip-range on kube-apiserver.
Error: error creating self-signed certificates: mkdir /var/run/kubernetes: permission denied

Why this error about creating a self-signed certificate?. The certificate I am using is an authorized one.

ok, big mistake, kube-apiserver is not a command to interact with the kube-apiserver of your cluster. But I had that command in my computer (by mistake), and I thought I could use it to change the configuration of my Rancher Cluster.

So kube-apiserver is running inside one container deployed by rancher. How can I modify this to add these extra params:

--oidc-issuer-url=KEYCLOAK_REALM_PROVIDER_URL  \
                          --oidc-client-id=Kubernetes  \
                          --oidc-username-claim=name \

See Rancher Docs: Cluster Configuration

but there can I overwrite the command params, similar to this:

  - command:
    - kube-apiserver
    - --authorization-mode=Node,RBAC
    - --advertise-address=
    - --allow-privileged=true
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --disable-admission-plugins=PersistentVolumeLabel
    - --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=
    - --insecure-port=0
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --secure-port=6443
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-cluster-ip-range=
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    - --oidc-issuer-url=
    - --oidc-client-id=H1Vt_n8eRyKzu1EBzwfXVirQIfga
    - --oidc-ca-file=/etc/kubernetes/oidc-ca/yay.pem
    - --oidc-groups-claim=groups
    - --oidc-username-claim=sub

Is there any way, I can edit the manifest file in the host to modify that? to make the kube-apiserver command to be executed with some extra parameters?

Yes the provided link contains links to examples, such as Rancher Docs: Extra Args, Extra Binds, and Extra Environment Variables

ok, but not sure how I shouls use extraargs, I am trying:

- --oidc-issuer-url="https://keycloak.foo.bar/realm/realm-example"  
- --oidc-client-id="client-example"  
- --oidc-username-claim="name"

but then, if I inspect the kube-apiserver container, the command execution does not have this extra args.

Ok, it worked in that way:

        oidc-issuer-url: "https://keycloak.foo.bar/realm/realm-test"  
        oidc-client-id: "client_id"  
        oidc-username-claim: "email"

Is there any way of doing the same, but not using Rancher Dashboard? Something with commandline, kubectl?

Hi Jose,
I am trying to configure keycloak for kubectl.
Can you please help me out how you solve this.

I am using Rancher 2.5