Configuring Kanidm as an Oauth provider for cluster identity.
Todo:
- Investigate additional properties for use in ABAC.
Look at mapping additional roles to groups to see if we can stack permissions.Able to bind multiple roles based on groups, haven't investigated if permissions stack though.Should fix or allow adding Prometheus target.Anonymous auth now working for/healthz,/livez,/readyz, and/metrics.
Note: maybe instead of extra scopes we do --oidc-use-access-token see issue.
CEL playground input
claims:
email: foo@richtman.au
preferred_username: foo@id.richtman.au
email_verified: true
groups:
- "idm_admins@id.richtman.au"
- "idm_unix_admins@id.richtman.au"
- "idm_oauth2_admins@id.richtman.au"
- "idm_radius_service_admins@id.richtman.au"
- "idm_account_policy_admins@id.richtman.au"
- "idm_people_admins@id.richtman.au"
- "idm_service_account_admins@id.richtman.au"
- "idm_application_admins@id.richtman.au"
- "idm_mail_service_admins@id.richtman.au"
- "idm_group_admins@id.richtman.au"
- "idm_all_persons@id.richtman.au"
- "idm_all_accounts@id.richtman.au"
- "idm_high_privilege@id.richtman.au"
- "idm_people_self_name_write@id.richtman.au"
- "idm_client_certificate_admins@id.richtman.au"
- "ext_idm_provisioned_entities@id.richtman.au"
- "grafana_superadmins@id.richtman.au"
- "grafana_admins@id.richtman.au"
- "grafana_editors@id.richtman.au"
- "grafana_users@id.richtman.au"
- "k8s_users@id.richtman.au"
- "k8s_admins@id.richtman.au"