🙏 K8s-Dashboard OIDC authentication works, but Dashboard ignores user / group RBAC

[bhagatdharmendra]

Description

I’ve secured Kubernetes Dashboard using Keycloak (OIDC) via oauth-proxy.
Authentication works perfectly — users log in via Keycloak and the Dashboard UI opens.

However, authorization is not applied per user or per group.

Even when:

1. OIDC tokens include groups (e.g. k8s-admins, k8s-viewers)
2. Proper ClusterRoleBinding is created using kind: Group

Dashboard always uses its own ServiceAccount to access the Kubernetes API, so all users get the same permissions.

This makes it impossible to provide:

1. Read-only access for some users
2. Admin access for others
3. based on OIDC groups.

Expected behavior

When OIDC is enabled, it would be great if:

Dashboard could forward the user’s OIDC identity (user / groups)

Kubernetes RBAC could be evaluated per user, similar to kubectl, ArgoCD, or Rancher

Why this matters

In real environments, access is usually managed via:

1. Central IdP (Keycloak, Azure AD, etc.)
2. Group-based RBAC

Right now, the only options are:

1. Over-privileged ServiceAccounts
2. Multiple Dashboard deployments

Or not using Dashboard at all

Just wanted to share this limitation and check if there’s any roadmap or recommended approach.
Thanks for reading 🙏