Skip to content

User management

Keycloak

keycloak

Adding users

Enforcing 2FA

Default roles

Using existing SSO

Creating your own roles

Create role in keycloak with name (example) oidc-mycompany-k8s-developers
Assign your users or groups this role.
Create a Clusterrole (example) mycompany-k8s-developers:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mycompany-k8s-developers
rules:
- apiGroups:
  - '*'
  resources:
  - pods
  - services
  - namespaces
  - deployments
  - jobs
  - cronjobs
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

Deploy a ClusterRolebinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: oidc-mycompany-k8s-developers
  namespace: staging-mycompany-api
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mycompany-k8s-developers
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: 'oidcgroup:oidc-mycompany-k8s-developers'

limit access to only namespace

Create a new role in keycloak

Assign the role group. (you can also add them directly to user)

Once done you can join users to the group

Now to add the role and rolebinding. The role is namespace bound.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default                          # Namespace
  name: role-example
rules:
- apiGroups: [""]
  resources: ["pods"]                         # The pod can be accessed.
  verbs: ["get", "list"]                      # The GET and LIST operations can be performed.

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: RoleBinding-example
  namespace: default
roleRef:
  kind: Role
  name: role-example
  apiGroup: rbac.authorization.k8s.io
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: 'oidcgroup:oidc-mycompany-k8s-limited-developers'

Harbor

Has its own login

Create robot accounts

ArgoCD

Create CI token