Managing Users via Keycloak

The company I work for is looking to implement an instance of Kubernetes and we are researching the best way forward. Ultimately this will be a bare metal install and air gapped from the internet and running on RedHat with all of the latest software as of the time of creation.
We are looking to hook Kubernetes into RH-SSO / keycloak which will be federated into our companies existing IPA services along with our existing PKI infrastructure.

What I am trying to get my head around is how to hook the Kubernetes RBAC into RH-SSO/keycloak.
I am pretty sure I understand RBAC from the Kubernetes side of things ie the YAML files, what I haven’t been able to get my head around and I haven’t been able to find is how to integrate RBAC into SSO by creating entities to manage access to resources on SSO. Ideally users will be authenticating via PKI but I cannot make any changes to the existing certificate structure. So users will be members of groups for each application.

  • How much of the yaml file can we manage via keycloak or is it best to just manage users and leave resources and verbs to be defined in the YAML file?
  • although it is not part of RBAC can we manage applications via keycloak?
  • I feel I should be able to a group of users to use as a name - how is this then defined in the yaml file?
  • do I add users to a group or a role on SSO?
  • When I create a group/application how is this defined in keycloak?

Hopefully these thoughts have translated well on to paper.

What it boils down to is group membership that is passed to kubernetes via the oidc groups claim (passed to the api server by the --oidc-groups-claim flag). You can then create a [cluster]rolebinding that references those groups to attach an rbac role to.

It’s a bit out of date at this point, but here is a blog post I wrote on it a few years ago:

Sorry about the delay, this did help point me in the correct direction.

1 Like