0

I have successfully connected my K8s cluster + dashboard to my Keycloak server, now i have asked myself the question:

I have followed these instructions here.

Furthermore I also made the appropriate adjustments to the kube-apiserver.yml. In my opinion these two yaml's should do the corresponding mapping. Does anyone happen to have a corresponding configuration and can validate my assumption.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: devops-cluster-admin
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: devopstales

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
subjects:
- kind: User
  name: "devopstales"
  namespace: "kube-system"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name:  cluster-admin

How can I achieve a role mapping between the OIDC roles/ groups and the K8s roles?

ZPascal
  • 143
  • 1
  • 1
  • 7

1 Answers1

2

You will want to specify --oidc-groups-claim= with the JWT claim containing the list of strings that identify the groups to which the authenticated user belongs, then you can reference those names (with any optional oidc-groups-prefix you specified) in RBAC situations to grant cluster permissions to those groups

mdaniel
  • 2,561
  • 1
  • 9
  • 13
  • Ok, thanks for your answer. So if I understand this correctly it is not possible to map a rights structure. E.g. that several OIDC groups are mapped to different RBAC rights. – ZPascal Oct 26 '20 at 06:42
  • I don't know keycloak well enough to know how much it would help push RBAC Roles into the cluster for you. If your situation is extremely dynamic, using a webhook authorization scheme may interest you, and this would be worth reading, also: https://github.com/keycloak/keycloak-operator – mdaniel Oct 26 '20 at 16:12
  • Thanks for the hint, currently I use the [louketo-proxy](https://github.com/louketo/louketo-proxy). Maybe the Keycloak is the better alternative to map multiple groups and roles. I will check that. – ZPascal Oct 30 '20 at 13:01