1

目前我正在尝试让 api 服务器与我的 keycloak 连接。

当我使用来自用户的 oidc 信息时,一切正常,但组似乎被忽略了 apiserver 正在使用参数运行

     --oidc-ca-file=/etc/kubernetes/ssl/ca.pem
     --oidc-client-id=kubernetes
     --oidc-groups-claim=groups
     --oidc-groups-prefix=oidc:
     --oidc-issuer-url=https://keycloak.example.com/auth/realms/master
     --oidc-username-claim=preferred_username
     --oidc-username-prefix=oidc:

我添加了一个 ClusterRole 和 ClusterRoleBinding

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: developer-role
rules:
  - apiGroups: [""]
    resources: ["namespaces","pods"]
    verbs: ["get", "watch", "list"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: developer-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: developer-role
subjects:
- kind: User
  name: "oidc:myuser"
  apiGroup: rbac.authorization.k8s.io

对于我的用户“myuser”,一切正常。

但是当我将 ClusterRoleBinding 更改为 subjet Group

....
subjects:
- kind: User
  name: "oidc:group1"
  apiGroup: rbac.authorization.k8s.io
...

我收到禁止。

我尝试调试 jwt 令牌,并且该组似乎包括在内:

{
...
  "groups": [
    "group1",
    "group2",
    "group3"
  ],
...
}

任何想法为什么我的组被忽略/我的 ClusterRoleBinding 不起作用?

4

1 回答 1

2 
....
subjects:
- kind: User
  name: "oidc:group1"
  apiGroup: rbac.authorization.k8s.io
...

应该:

....
subjects:
- kind: Group
  name: "oidc:group1"
  apiGroup: rbac.authorization.k8s.io
...
于 2019-07-04T16:46:31.303 回答