Role bindings not working for groups #2027
Answered
by
nabokihms
atorrescogollo
asked this question in
Q&A
-
I am using Gangway+Dex+ActiveDirectory for authentication. I am able to use role bindings for users but not for groups. Config:
...
- --oidc-issuer-url=https://auth.k8s1.domain.es/
- --oidc-ca-file=/usr/local/share/ca-certificates/oidc-ca.crt
- --oidc-client-id=oidc-auth-client
- --oidc-username-claim=name
- '--oidc-username-prefix=AD:'
- --oidc-groups-claim=name
- '--oidc-groups-prefix=AD:'
image: k8s.gcr.io/kube-apiserver:v1.19.0
...
apiVersion: v1
data:
config.yaml: |
issuer: https://auth.k8s1.domain.es/
...
staticClients:
- id: oidc-auth-client
redirectURIs:
- 'https://kubectl.k8s1.domain.es/callback'
name: 'oidc-auth-client'
secret: 5ef...
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: "dc01.domain.es:636"
use_tls: True
insecureNoSSL: False
insecureSkipVerify: False
rootCA: /etc/dex/cfg/connector_ldap_ca.crt
bindDN: "cn=Administrator,cn=Users,dc=ad,dc=domain,dc=es"
bindPW: "password"
userSearch:
baseDN: "DC=ad,DC=domain,DC=es"
filter: "(objectClass=user)"
username: sAMAccountName
idAttr: DN
emailAttr: mail
nameAttr: sAMAccountName
groupSearch:
baseDN: "DC=ad,DC=domain,DC=es"
filter: "(objectClass=group)"
userAttr: DN
groupAttr: member
nameAttr: name
{
"iss": "https://auth.k8s1.domain.es/",
"sub": "Ci5D...",
"aud": "oidc-auth-client",
"exp": 1614810594,
"iat": 1614724194,
"at_hash": "uFKL...",
"email": "[email protected]",
"email_verified": true,
"groups": [
"admins-k8s1"
],
"name": "admin1"
} BehaviourNow, I create the following ClusterRoleBinding so I can get nodes with admin1 user: # kubectl get clusterrolebindings admin1-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin1-admin
...
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: AD:admin1 On the other hand, if I edit the manifest like i attach below, I cannot get nodes: # kubectl get clusterrolebindings admin1-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin1-admin
...
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: AD:admins-k8s1 |
Beta Was this translation helpful? Give feedback.
Answered by
nabokihms
Mar 3, 2021
Replies: 1 comment 1 reply
-
Hello! I assume that you need to change kube-apiserver flag |
Beta Was this translation helpful? Give feedback.
1 reply
Answer selected by
nabokihms
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello! I assume that you need to change kube-apiserver flag
--oidc-groups-claim=name
to--oidc-groups-claim=groups
to make it works.