MorreFeb 28

Hey fellow Kubernetes peeps, I need your help understanding something

I've been running k3s with OIDC against Keycloak, using groups in keycloak for ClusterRoleBindings.

This has worked great so far with this config:

kube-apiserver-arg:
- "oidc-issuer-url=https://our-keycloak-instance/realms/our-realm"
- "oidc-client-id=id-of-the-client"
- "oidc-groups-claim=groups"
- "oidc-groups-prefix=keycloak-groups:"
- "oidc-username-prefix=keycloak:"
- "oidc-username-claim=email"

1/?

Show threadMorre

Now, I changed the client ID in keycloak to verify something. Everything else is unchanged.

Updated the client ID in the apiserver arg, and updated our kubeconfig to match.

Now, the groups are not listed anymore in "kubectl auth whoami".

Before and after in the next two toots.

2/?

Feb 28 at 6:38pmWeb
Show threadMorreFeb 28

Before:

ATTRIBUTE VALUE
Username keycloak:[email protected]
Groups [keycloak-groups:view keycloak-groups:cluster-admin system:authenticated]
Extra: authentication.kubernetes.io/credential-id [JTI=<redacted>]

Show threadMorreFeb 28

After:

ATTRIBUTE VALUE
Username keycloak:[email protected]
Groups [system:authenticated]
Extra: authentication.kubernetes.io/credential-id [JTI=redacted]

Show threadMorreFeb 28

I have no idea why this is not working anymore, and couldn't find any helpful docs.

Did I miss to change the client ID somewhere?

I can't really imagine that being the case, since the authentication itself works, just the groups are missing…

Show threadHaegarFeb 28
@morre
Just a stupid idea, using keycloak but not with k3s:
In your new client config did you add the same client scope(s) with a mapper exposing the groups in the same way?
As that is not happening by default when just creating a new keycloak client definition.
Show threadMorreMar 1

@haegar It's the same client, I only changed its ID.

So there's no new client definition to update 🤔