Using Groups for users with Dex instead of binding roles directly to users

[vojtechmares]

Hi, at Notino, we are trying out Headlamp. We got the integration with Dex (which is using Azure AD as backend) working. But after logging in, the UI is not showing anything and we are getting the permission denied error.

We are using Kubernetes Groups to bind roles and cluster roles to, not directly to users. And we also use Dex to authenticate to Kubernetes when using kubectl via oidc-login plugin.

I did not find anything in documentation about binding roles/clusterroles to groups. Am I missing something or is it not possible in a setup like this?

Thanks!

[dosubot[bot]]

Hello @vojtechmares! I'm here to help you with any bugs, questions, or to guide you on becoming a contributor. Let's tackle this issue together!

Headlamp does support role and cluster role bindings to Kubernetes Groups. You can configure a ClusterRoleBinding to bind a ClusterRole to a Kubernetes Group. Here's an example configuration:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: headlamp-readonly-binding
subjects:
- kind: Group
  name: readonly-users
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: headlamp-readonly
  apiGroup: rbac.authorization.k8s.io

This example shows a ClusterRoleBinding for a group named readonly-users, indicating support for Kubernetes Groups. When using OIDC authentication, you can map roles from an identity provider like Dex to Kubernetes RBAC, allowing Headlamp to respect these configurations and manage user access accordingly ^[1].

If you're experiencing permission issues, ensure that the group names in your RBAC configuration match those provided by Dex and Azure AD. Additionally, verify that the roles and permissions are correctly set up in your Kubernetes cluster.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[vyncent-t]

Apologies for missing this, we have had similar issues reported in our Slack, were you able to find a solution for this?

[vojtechmares]

Hi @vyncent-t, unfortunately I was unable to find a solution, even after spending an extensive amount of time on this issue.

Since then, we've abandoned the idea of Headlamp.

[vyncent-t]

Hi @vojtechmares thanks for replying, I'm sorry to hear that this wasn't easily fixed, I'm sure it was frustrating. If possible, I would like to make good on your efforts here and would greatly appreciate any additional information you can share with me about some of the things you've tired. I know that there has been some fixes for other ODIC issues handled by @ashu8912 recently and I'm sure he would be also be interested in taking a look here.