KubeAPI Dynamic OIDC, multi tenant IAM

cybercoder · July 28, 2023, 9:36am

K8S API supports single tenant OIDC e.g:

ExecStart=/usr/local/bin/k3s \
    server \
        '--write-kubeconfig-mode=0644' \
        '--flannel-backend=none' \
        '--disable-network-policy' \
        '--token=SECRET' \
        '--datastore-endpoint=postgres://postgres:postgres@mylabpg:5432/k3s' \
        '--kube-apiserver-arg' 'oidc-username-claim=email' \
        '--kube-apiserver-arg' 'oidc-groups-claim=groups' \
        '--kube-apiserver-arg' 'oidc-client-id=k3s' \
        '--kube-apiserver-arg' 'oidc-ca-file=/opt/keycloak/certs/rootCA.crt' \
        '--kube-apiserver-arg' 'oidc-issuer-url=https://mylabkeycloak:8011/realms/master'

currently, I can use the master realm (tenant) on my KeyCloak (the IAM), only.
But I need to use it in multi-tenat mode on-the-fly
If oidc-issuer-url be an optional parameter on API header, it can handle multi-tenant IAM. or there be a header variable to determine tenant name.
Isn’t there something to handle this?

Topic		Replies	Views
Initializing k8s with OIDC General Discussions oidc	1	2409	May 29, 2020
How to configure OIDC with mulitple ClientId & Secret? General Discussions authn	0	369	November 23, 2022
Kubernetes Using Keycloak OIDC Certification Questions Advisory General Discussions oidc	0	611	April 20, 2023
OpenID connect configuration with kubeadm? General Discussions	0	1911	October 12, 2019
Kubernetes and OIDC General Discussions oidc , authn , authz	2	2432	June 27, 2018

KubeAPI Dynamic OIDC, multi tenant IAM

Related topics