Skip to content

Setup of keycloak

Using KC in k8s kubectl.

Add new clientId into KC named k8s. Add configuration to /etc/kubernetes/manifests/kube-apiserver.yaml:

    - --oidc-issuer-url=https://l.{DOMAIN}/realms/home
    - --oidc-client-id=k8s
    - --oidc-username-claim=email
    - "--oidc-username-prefix=oidc:"
    - --oidc-groups-claim=groups
    - "--oidc-groups-prefix=oidc:"

Add RBAC entry for admin group oidc-admin-role or for specifig NS in /ns-roles.

Konfigure kubectl:

- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://l.{DOMAIN}/realms/home
      - --oidc-client-id=k8s
      - --oidc-client-secret=secret-from-oidc
      command: kubectl
      env:
      provideClusterInfo: false

[VIP]: Virtual IP (Used for high-availability controlplanes) [HA]: High Availability (often reduntant hardware/software) [PVC]: k8s resource - Persistent Volume Claim [PV]: k8s resource - Persistent Volume [CNI]: k8s networking - Container Network Interface [k8s]: Shortening of Kurbenetes [CRD]: Custom Resource Definitions [S3]: Simple Storage Service [NFS]: Network File System [DR]: Disaster Recovery