How to map internal OIDC group to external K8s cluster roles
I have successfully connected my K8s cluster + dashboard to my Keycloak server, now i have asked myself the question:
I have followed these instructions here.
Furthermore I also made the appropriate adjustments to the kube-apiserver.yml. In my opinion these two yaml's should do the corresponding mapping. Does anyone happen to have a corresponding configuration and can validate my assumption.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: devops-cluster-admin
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: devopstales
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
subjects:
- kind: User
name: "devopstales"
namespace: "kube-system"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
How can I achieve a role mapping between the OIDC roles/ groups and the K8s roles?
You will want to specify --oidc-groups-claim=
with the JWT claim containing the list of strings that identify the groups to which the authenticated user belongs, then you can reference those names (with any optional oidc-groups-prefix
you specified) in RBAC situations to grant cluster permissions to those groups