- Create a "kubernetes" client
- Add "groups" property for this client "Client Scopes / kubernetes-dedicated" :
- Ensure email verified is available
See inventory/vagrantbox/group_vars/k3s_master/k3s-oidc.yml.dist :
--kube-apiserver-arg oidc-issuer-url=https://keycloak.quadtreeworld.net/realms/master
--kube-apiserver-arg oidc-client-id=kubernetes
--kube-apiserver-arg oidc-groups-claim=groups
--kube-apiserver-arg oidc-groups-prefix=oidc:
--kube-apiserver-arg oidc-username-claim=email
--kube-apiserver-arg oidc-username-prefix=oidc:See rbac/kustomization.yml :
# bind oidc:k8s_admin group to "cluster-admin" role
kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --group='oidc:k8s_admins'
# bind oidc:k8s_users group to "view" role
kubectl create clusterrolebinding oidc-cluster-user --clusterrole=view --group='oidc:k8s_users'# install oidc-login plugin
kubectl krew install oidc-login
# configurer oidc-login
kubectl oidc-login setup \
--oidc-issuer-url=https://keycloak.quadtreeworld.net/realms/master \
--oidc-client-id=kubernetes \
--oidc-client-secret=SecretFromKeycloak
# login in browser and follow instructions...--oidc-issuer-url=https://keycloak.quadtreeworld.net/realms/master
--oidc-client-id=kubernetes
--oidc-groups-claim=groups
# ...
--kube-apiserver-arg
-
Pour le debug, ajouter un
-v1à l'utilisateur "oidc" dans KUBECONFIG :
- name: oidc
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- oidc-login
- get-token
- --oidc-issuer-url=https://keycloak.quadtreeworld.net/realms/master
- --oidc-client-id=kubernetes
- --oidc-client-secret=**********
- -v1
command: kubectl
env: null
provideClusterInfo: false