Hi thank you for read this post, I hope you guys can help I have been configuring my k8s cluster to use RBAC, oauth2 proxy and Keycloak for authentication and authorization
So here is what I have done so far
I configured my release to integrate oauth2 proxy to the kubernetes dashboard, here is the configuration
args:
- --http-address=0.0.0.0:4180
- --https-address=0.0.0.0:4443
- --metrics-address=0.0.0.0:44180
- --provider=keycloak-oidc
- --client-id=***
- --client-secret=*****
- --redirect-url=https://oauth2Proxy.company.com/oauth2/callback
- --oidc-issuer-url=https://keycloakIdentity.company.com/realms/myrealm
- --email-domain=*
- --set-authorization-header=true
- --set-xauthrequest=true
- --pass-access-token=true
- --pass-authorization-header=true
- --pass-user-headers=true
- --pass-host-header=true
- --skip-jwt-bearer-tokens=true
- --show-debug-on-error=true
- --silence-ping-logging=true
- --cookie-secret=*****
- --provider-display-name="Keycloak"
- --cookie-secure=false
- --cookie-domain=.company.com
- --whitelist-domain=.company.com
- --cookie-samesite=lax
- --session-store-type=redis
- --upstream="static://202"
- --oidc-groups-claim=groups
- --oidc-email-claim=email
- --scope=openid email
- --skip-provider-button=true
- --skip-jwt-bearer-tokens=true
- --insecure-oidc-allow-unverified-email=false
- --insecure-oidc-skip-issuer-verification=true
- --silence-ping-logging=true
- --ssl-insecure-skip-verify=true
- --ssl-upstream-insecure-skip-verify=true
- --reverse-proxy=true
- --force-https=false
here are the config for the ingressroute because im using traefik
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: oauth2-proxy
namespace: oauth2-proxy
spec:
entryPoints:
- websecure
routes:
- match: Host(`oauth2Proxy.company.com`)
kind: Rule
services:
- name: oauth2-proxy
port: 80
# middlewares:
# - name: auth-headers
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: wildcard-auth
namespace: oauth2-proxy
spec:
entryPoints:
- websecure
routes:
- match: Host(`*.company.com`) && PathPrefix(`/oauth2/`)
kind: Rule
services:
- name: oauth2-proxy
port: 80
# middlewares:
# - name: auth-headers
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: auth-headers
namespace: oauth2-proxy
spec:
headers:
sslRedirect: true
stsSeconds: 315360000
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
sslHost: company.com
stsIncludeSubdomains: true
stsPreload: true
frameDeny: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: auth
namespace: kubernetes-dashboard
spec:
forwardAuth:
address: https://oauth2Proxy.company.com/
trustForwardHeader: true
authResponseHeaders:
- X-Auth-Request-Access-Token
- Authorization
till here everything looks good, If I go to the kubernetes dashboard url im able to authenticate against keycloak instance and callback to the dashboard, but once inside there I cannot see anything, pods, deployments, etc.
here is the fun part, here is the config for the RBAC binding
in this log I can see I was authenticated successfully and I have an Id_token with the claim information related to the groups
here is the mapper in keycloak
I hope you guys can help, thank you so much in advanced Regards