currently I’m trying to get the the api server connected with my keycloak.
When I use the oidc-information from the user everything works fine, but the groups seem to be ignored The apiserver is running with the parameter
--oidc-ca-file=/etc/kubernetes/ssl/ca.pem
--oidc-client-id=kubernetes
--oidc-groups-claim=groups
--oidc-groups-prefix=oidc:
--oidc-issuer-url=https://keycloak.example.com/auth/realms/master
--oidc-username-claim=preferred_username
--oidc-username-prefix=oidc:I added a ClusterRole and ClusterRoleBinding
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: developer-role
rules:
- apiGroups: [""]
resources: ["namespaces","pods"]
verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: developer-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: developer-role
subjects:
- kind: User
name: "oidc:myuser"
apiGroup: rbac.authorization.k8s.ioand for my user “myuser” everythin works fine.
But when I change the ClusterRoleBinding to subjet Group
....
subjects:
- kind: User
name: "oidc:group1"
apiGroup: rbac.authorization.k8s.io
...I receive forbidden.
I tried to debug the jwt token and the group seems to be included:
{
...
"groups": [
"group1",
"group2",
"group3"
],
...
}
Any ideas why my groups are ignored/my ClusterRoleBinding not working?
....
subjects:
- kind: User
name: "oidc:group1"
apiGroup: rbac.authorization.k8s.io
...should be:
....
subjects:
- kind: Group
name: "oidc:group1"
apiGroup: rbac.authorization.k8s.io
...