New Kubernetes API endpoint for unmanaged auth is now available in CKS, enabling custom authentication workflows.Documentation Index
Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
Use this file to discover all available pages before exploring further.
Kubernetes API endpoint for unmanaged auth
A new Kubernetes API endpoint for unmanaged authentication is now available in CKS, streamlining OIDC, Service Account, and Webhook authentication workflows for public CKS clusters. Prior to this release, customers were required to first use CoreWeave-managed authentication to provision their own endpoint to support these unmanaged authentication workflows.Managed Auth vs. unmanaged auth
Managed Auth
The managed authentication endpoint follows the formathttps://<Org ID>-<Cluster Hash>.k8s.<Zone>.coreweave.com and can be found on the Cluster Status page of the CoreWeave Cloud Console by clicking Copy public address.
The Managed Auth service handles user authentication and authorization only for user identities in the CoreWeave Cloud Console. It does not support Kubernetes Service Account tokens, OIDC access tokens, or anonymous API server URIs.
Kubeconfigs for CKS clusters that are generated by the CoreWeave Cloud Console use the Managed Auth endpoint by default.
Unmanaged auth
The new unmanaged authentication endpoint is available athttps://api.<Org ID>-<Cluster Hash>.k8s.<Zone>.coreweave.com. You can create this URL by adding the api. prefix after clicking Copy public address on the Cluster Status page.
Unmanaged authentication allows users to authenticate with the Kubernetes API using Kubernetes Service Account Tokens, OIDC access tokens, or anonymous API server URIs. This endpoint is intended for users who prefer to manage their own authentication and authorization mechanisms. Kubeconfigs and access tokens generated by the CoreWeave Cloud Console for CKS clusters are not supported by this endpoint.
Deprecated endpointCKS clusters previously offered an undocumented unmanaged authentication endpoint at
https://api.<orgId>-<clusterName>.k8s.<zone>.coreweave.com. This endpoint is now deprecated.Use cases
This endpoint streamlines several authentication scenarios:- OIDC authentication: Integrate standard OIDC IdPs for authentication to your CKS clusters
- Service Account authentication: Use Kubernetes Service Account tokens to authenticate with your CKS clusters
- Custom authentication providers: Integrate with enterprise identity systems not supported by standard OIDC
- Multi-factor authentication: Implement custom MFA workflows
Migration considerations
This is an additive change, introducing a new endpoint for CKS clusters that can be used to support authentication strategies that aren’t supported by the managed authentication endpoint. Customers who previously configured their own custom endpoints for unmanaged authentication can continue to use those. This change introduces no incompatibilities with existing workflows.Configuration
Unmanaged auth can be configured on existing clusters without requiring cluster recreation. To configure unmanaged auth:- Deploy your authentication webhook: Host your custom authentication service that implements the Kubernetes authentication webhook interface
- Configure the webhook in CKS: Use the CKS API to configure the authentication webhook endpoint
- Test the integration: Verify that your custom authentication workflow functions correctly
Learn moreFor detailed API reference information, see CKS API Reference.