Kiali supports several authentication mechanisms. In this post we will set up Kiali with the OpenID authentication strategy, using Keycloak as the authentication provider. Keycloak will be configured to use groups for Kubernetes RBAC Authorization.
Kiali does not handle the authorization directly; instead, Kubernetes does it using the ID token passed by the authentication provider. The ID token contains the user identity: a list of properties that are encoded as a JWT (JSON Web Token). These properties are known as claims.
Kubernetes uses this information to authorize actions based on its policies. It reads different claims to provide the authorization based on different properties, and the groups claim is included.
The authentication provider needs to be configured properly in order to send the groups claim as part of the ID Token.
Note: This post assumes that a realm and a client are already properly configured.
We will define a new Client scope to define the groups claim.
The Client scope will include the following details:
We will add a new Group Membership mapper:
Next, the groups Client scope will be added to the Client used by Kiali. We will go to the Clients menu, click on the client, go to the Client Scopes tab and add the groups client scope:
We have the user Kiali added into the default group. Let’s create a Role and a RoleBinding now defining a group to allow access to the bookinfo namespace:
https://raw.githubusercontent.com/josunect/yamls/main/roleBookinfo.yaml
Add the roleBinding to the group:
https://raw.githubusercontent.com/josunect/yamls/main/roleBindingBookinfoGroup.yaml
After this change, the user Kiali should be able to login and see just the bookinfo namespace:
In this post, we have learned how to implement group authorization for Kiali using Keycloak as authentication provider. This setup centralizes authentication and authorization, enhancing security and simplifying access management in the cluster.