Kubernetes OIDC: No valid group mapping

问题

I have the problem that I can log on to my dashboard via OIDC, but then the oidc group information is not mapped correctly and I cannot access the corresponding resources.

Basic setup

• K8s version: 1.19.0
• K8s setup: 1 master + 2 worker nodes
• Based on Debian 10 VMs
• CNI: Calico
• Louketo Proxy as OIDC proxy
• OIDC: Keycloak Server (Keycloak X [Quarkus])

Configurations

I have configured the K8s apiserver with these parameters.

kube-apiserver.yaml

- --oidc-issuer-url=https://test.test.com/auth/realms/Test
- --oidc-client-id=test
- --oidc-username-claim=preferred_username
- --oidc-username-prefix="oidc:"
- --oidc-groups-claim=groups
- --oidc-groups-prefix="oidc:"

ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: "test-cluster-admin"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: "Test"

I used the following louketo parameters

Louketo Proxy

/usr/bin/louketo-proxy --discovery-url=$OIDC_DISCOVERY_URL --client-id=$OIDC_CLIENT_ID --client-secret=$OIDC_CLIENT_SECRET  -listen=$OIDC_LISTEN_URL --encryption-key=$OIDC_ENCRYPTION_KEY --redirection-url=$OIDC_REDIRECTION_KEY --enable-refresh-tokens=true --upstream-url=$OIDC_UPSTREAM_URL --enable-metrics

I get the following error message inside the dashboard. K8s error

replicasets.apps is forbidden: User "\"oidc:\"<user_name>" cannot list resource "replicasets" in API group "apps" in the namespace "default"

I hope you can help me with this problem, I already tried most of the manuals from the internet, but haven't found a solution yet.

PS: I have done the corresponding group mapping in the Keycloak server and also validated that the group entry is transferred.

回答1:

This is a community wiki answer aimed to approach the issue from the Kubernetes side. Any one familiar with the possible Keycloak group/role mapping solution feel free to edit it.

The error you see means that the service account for OIDC doesn't have the proper privileges to list replicasets in the default namespace. The easiest way out of it would be to simply setup the ServiceAccount, ClusterRole and ClusterRoleBinding from scratch and make sure it has the proper privileges. For example, you can create a clusterrolebinding with permissions “admin” by executing:

kubectl create clusterrolebinding OIDCrolebinding - -clusterrole=admin - - group=system:serviceaccounts:OIDC

The same can be done for the ClusterRole:

kubectl create clusterrole OIDC --verb=get,list,watch --resource=replicasets --namespace=default

More examples of how to use the kubectl create in this scenario can be found here.

Here you can find a whole official guide regarding the RBAC Authorization.

EDIT:

Also, please also check if your ClusterRoleBinding for the "\"oidc:\"<user_name>" is in the "default" namespace.

回答2:

If you are facing the same challenge as I did and you want to integrate Keycloak into your K8s cluster, share the dashboard and connect it to Keycloak, you can find my configuration below. Within my cluster I use the Louketo Proxy as interface between Kubernetes and Keycloak. The corresponding configuration of the deployment is not included in this post.

Keycloak

I want to start with the configuration of Keycloak. In the first step I created a corresponding client with the following settings.

After that I created the two group membership and audience (needed by the louketo proxy) mappers.

The exact settings of the mappers can be taken from the two images.

Group membership mapping

Audience mapping

Kubernetes

In the second step I had to update the api server manifest and create the RoleBinding and ClusterRoleBinding within the Kubernetes cluster.

Api server manifest (default path: /etc/kubernetes/manifests/kube-apiserver.yaml)

- --oidc-issuer-url=https://test.test.com/auth/realms/Test
- --oidc-client-id=test
- --oidc-username-claim=preferred_username
- --oidc-username-prefix="oidc:"
- --oidc-groups-claim=groups
- --oidc-groups-prefix="oidc:"

RoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "test"
namespace: "kubernetes-dashboard"
subjects:
- kind: User
  name: "\"oidc:\"Test"
  namespace: "kube-system"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin

ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: "test"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: "\"oidc:\"Test"

@Community I hope I can help you with this configuration. If you have any questions, feel free to ask me.

来源：https://stackoverflow.com/questions/64677173/kubernetes-oidc-no-valid-group-mapping