Kubernetes dashboard, Oauth2 proxy and keycloak rbac not working

263 views Asked by At

Hi thank you for read this post, I hope you guys can help I have been configuring my k8s cluster to use RBAC, oauth2 proxy and Keycloak for authentication and authorization

So here is what I have done so far

I configured my release to integrate oauth2 proxy to the kubernetes dashboard, here is the configuration

    args:
  - --http-address=0.0.0.0:4180
  - --https-address=0.0.0.0:4443
  - --metrics-address=0.0.0.0:44180
  - --provider=keycloak-oidc
  - --client-id=***
  - --client-secret=*****
  - --redirect-url=https://oauth2Proxy.company.com/oauth2/callback
  - --oidc-issuer-url=https://keycloakIdentity.company.com/realms/myrealm
  - --email-domain=*
  - --set-authorization-header=true
  - --set-xauthrequest=true
  - --pass-access-token=true
  - --pass-authorization-header=true
  - --pass-user-headers=true
  - --pass-host-header=true
  - --skip-jwt-bearer-tokens=true
  - --show-debug-on-error=true
  - --silence-ping-logging=true
  - --cookie-secret=*****
  - --provider-display-name="Keycloak"
  - --cookie-secure=false
  - --cookie-domain=.company.com
  - --whitelist-domain=.company.com
  - --cookie-samesite=lax
  - --session-store-type=redis
  - --upstream="static://202"
  - --oidc-groups-claim=groups
  - --oidc-email-claim=email
  - --scope=openid email
  - --skip-provider-button=true
  - --skip-jwt-bearer-tokens=true
  - --insecure-oidc-allow-unverified-email=false
  - --insecure-oidc-skip-issuer-verification=true
  - --silence-ping-logging=true
  - --ssl-insecure-skip-verify=true
  - --ssl-upstream-insecure-skip-verify=true
  - --reverse-proxy=true
  - --force-https=false

here are the config for the ingressroute because im using traefik

    ---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: oauth2-proxy
  namespace: oauth2-proxy
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`oauth2Proxy.company.com`)
      kind: Rule
      services:
        - name: oauth2-proxy
          port: 80
#      middlewares:
#      - name: auth-headers
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: wildcard-auth
  namespace: oauth2-proxy
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`*.company.com`) && PathPrefix(`/oauth2/`)
      kind: Rule
      services:
        - name: oauth2-proxy
          port: 80
#      middlewares:
#      - name: auth-headers
          
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: auth-headers
  namespace: oauth2-proxy
spec:
  headers:
    sslRedirect: true
    stsSeconds: 315360000
    browserXssFilter: true
    contentTypeNosniff: true
    forceSTSHeader: true
    sslHost: company.com
    stsIncludeSubdomains: true
    stsPreload: true
    frameDeny: true       
      
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: auth
  namespace: kubernetes-dashboard
spec:
  forwardAuth:
    address: https://oauth2Proxy.company.com/
    trustForwardHeader: true
    authResponseHeaders:
      - X-Auth-Request-Access-Token
      - Authorization   

till here everything looks good, If I go to the kubernetes dashboard url im able to authenticate against keycloak instance and callback to the dashboard, but once inside there I cannot see anything, pods, deployments, etc.

enter image description here

here is the fun part, here is the config for the RBAC binding

enter image description here

in this log I can see I was authenticated successfully and I have an Id_token with the claim information related to the groups

enter image description here

here is the mapper in keycloak

enter image description here

I hope you guys can help, thank you so much in advanced Regards

0

There are 0 answers