Using Groups for users with Dex instead of binding roles directly to users

[vojtechmares]

Hi, at Notino, we are trying out Headlamp. We got the integration with Dex (which is using Azure AD as backend) working. But after logging in, the UI is not showing anything and we are getting the permission denied error.

We are using Kubernetes Groups to bind roles and cluster roles to, not directly to users. And we also use Dex to authenticate to Kubernetes when using kubectl via oidc-login plugin.

I did not find anything in documentation about binding roles/clusterroles to groups. Am I missing something or is it not possible in a setup like this?

Thanks!

[dosubot[bot]]

Hello @vojtechmares! I'm here to help you with any bugs, questions, or to guide you on becoming a contributor. Let's tackle this issue together!

Headlamp does support role and cluster role bindings to Kubernetes Groups. You can configure a ClusterRoleBinding to bind a ClusterRole to a Kubernetes Group. Here's an example configuration:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: headlamp-readonly-binding
subjects:
- kind: Group
  name: readonly-users
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: headlamp-readonly
  apiGroup: rbac.authorization.k8s.io

This example shows a ClusterRoleBinding for a group named readonly-users, indicating support for Kubernetes Groups. When using OIDC authentication, you can map roles from an identity provider like Dex to Kubernetes RBAC, allowing Headlamp to respect these configurations and manage user access accordingly ^[1].

If you're experiencing permission issues, ensure that the group names in your RBAC configuration match those provided by Dex and Azure AD. Additionally, verify that the roles and permissions are correctly set up in your Kubernetes cluster.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}