Inherrit user priviledges from Keycloak

[pirankashani]

Hello,
I want to use OIDC with Keycloak to do AAA for users. In this scenario I want to check the users' privileges and grant them access to Headlamp accordingly. It means I will have Admin, Editor(developer) or read-only users. How I can map these roles to the Headlamp?

[dosubot[bot]]

Hello @pirankashani! I'm here to help you with any bugs, questions, or contributions you have. Let's tackle this together!

Headlamp supports OIDC integration with Keycloak, allowing users to log in using their Keycloak credentials. However, the specific mapping of Keycloak roles to Kubernetes RBAC roles, which would determine user privileges in Headlamp, is not directly handled by Headlamp itself. Instead, this mapping is typically managed through Kubernetes RBAC configurations.

To achieve role mapping, you would need to:

1. Configure Keycloak: Ensure that your Keycloak setup includes roles that correspond to the desired access levels (e.g., Admin, Editor, Read-only).

2. Set Up Kubernetes RBAC: Define Kubernetes Role or ClusterRole and RoleBinding or ClusterRoleBinding that map these roles to the appropriate permissions within your Kubernetes cluster.

3. OIDC Claims: Use OIDC claims to pass the user's roles from Keycloak to Kubernetes. This might involve configuring Keycloak to include role information in the ID token or user info endpoint.

4. Kubernetes Authentication: Ensure that your Kubernetes API server is configured to accept OIDC tokens and map the claims to Kubernetes RBAC roles.

While Headlamp itself does not provide built-in support for customizing role-based access control, it relies on Kubernetes RBAC for authorization, so the role mapping needs to be configured at the Kubernetes level. Unfortunately, there is no specific documentation in Headlamp for extending or customizing role mapping functionality ^[1][2].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[knrt10]

Hey @pirankashani, some more context on this response.

Headlamp supports OIDC integration with Keycloak, allowing users to log in using their Keycloak credentials. However, the specific mapping of Keycloak roles to Kubernetes RBAC roles, which would determine user privileges in Headlamp, is not directly handled by Headlamp itself. Instead, this mapping is typically managed through Kubernetes RBAC configurations.

To achieve role mapping, you would need to:

1. Configure Keycloak:

   • Set up roles in Keycloak (Admin, Editor, Read-only)
   • Configure the OIDC client to include role information in tokens
   • Ensure roles are included in either the ID token or access token claims

2. Set Up Kubernetes RBAC:

   • Create ClusterRoles or Roles that define the permissions for each access level:

     # Example ClusterRole for read-only access
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
       name: headlamp-readonly
     rules:
     - apiGroups: ["*"]
       resources: ["*"]
       verbs: ["get", "list", "watch"]

   • Create ClusterRoleBindings or RoleBindings to map Keycloak groups/roles:

     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
     metadata:
       name: headlamp-readonly-binding
     subjects:
     - kind: Group
       name: readonly-users  # This should match the group claim from Keycloak
       apiGroup: rbac.authorization.k8s.io
     roleRef:
       kind: ClusterRole
       name: headlamp-readonly
       apiGroup: rbac.authorization.k8s.io

3. Configure Kubernetes API Server:

   • Set up the following flags in your API server configuration:

     --oidc-issuer-url=<keycloak-url>/realms/<realm>
     --oidc-client-id=<client-id>
     --oidc-username-claim=preferred_username
     --oidc-groups-claim=groups  # Specify which claim contains the roles/groups
     

4. Verify Configuration:

   • Test authentication by logging into Headlamp with Keycloak credentials
   • Verify that users can only access resources according to their RBAC permissions
   • Use kubectl auth can-i commands to test permissions for different users

Headlamp will respect these RBAC configurations and automatically limit user access based on the permissions granted through the role bindings. The UI will adapt to show only the resources and actions that the authenticated user has permission to access.