{"id":29582292,"url":"https://github.com/randsw/kubernetes-keycloak-oidc","last_synced_at":"2026-05-07T01:32:29.686Z","repository":{"id":305197023,"uuid":"1019422861","full_name":"Randsw/kubernetes-keycloak-oidc","owner":"Randsw","description":"Use Keycloak as OIDC Provider to Grant Access to Kubernetes Cluster with kube-oidc Plugin","archived":false,"fork":false,"pushed_at":"2025-07-18T17:09:59.000Z","size":945,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-18T21:51:33.326Z","etag":null,"topics":["cert-manager","headlamp","helm","ingress","keycloak","kind","kube-oidc","kubernetes","kubernetes-ui","metallb","oidc","oidc-client","oidc-provider","oidc-server","terraform","terraform-keycloak"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Randsw.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-14T09:53:44.000Z","updated_at":"2025-07-18T17:13:29.000Z","dependencies_parsed_at":"2025-07-18T22:04:11.629Z","dependency_job_id":null,"html_url":"https://github.com/Randsw/kubernetes-keycloak-oidc","commit_stats":null,"previous_names":["randsw/kubernetes-keycloak-oidc"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/Randsw/kubernetes-keycloak-oidc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Randsw%2Fkubernetes-keycloak-oidc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Randsw%2Fkubernetes-keycloak-oidc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Randsw%2Fkubernetes-keycloak-oidc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Randsw%2Fkubernetes-keycloak-oidc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Randsw","download_url":"https://codeload.github.com/Randsw/kubernetes-keycloak-oidc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Randsw%2Fkubernetes-keycloak-oidc/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266019657,"owners_count":23864916,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cert-manager","headlamp","helm","ingress","keycloak","kind","kube-oidc","kubernetes","kubernetes-ui","metallb","oidc","oidc-client","oidc-provider","oidc-server","terraform","terraform-keycloak"],"created_at":"2025-07-19T21:34:23.802Z","updated_at":"2026-05-07T01:32:24.662Z","avatar_url":"https://github.com/Randsw.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Use Keycloak as OIDC Provider to Grant Access to Kubernetes Cluster with kube-oidc Plugin and Headlamp UI\n\n## Requirements\n\n- [Docker](https://docs.docker.com/engine/install/)\n- [kubectl](https://kubernetes.io/docs/tasks/tools/)\n- [kind CLI](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)\n- [Helm](https://helm.sh/docs/intro/install/)\n- [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)\n- [kube-oidc plugin (kubelogin)](https://github.com/int128/kubelogin)\n\n## Setup Kubernetes Cluster\n\nRun `./cluster-setup.sh` to create a Kubernetes cluster with:\n\n- 1 control-plane node\n- 4 worker nodes\n- Installed ingress-nginx\n- Installed MetalLB\n- 4 proxy image repositories in Docker containers within one network\n\n## Deploy cert-manager and add generated TLS key pair as CA\n\nRun `./cert-manager-setup.sh`\n\n## Deploy Keycloak and Setup RBAC Access\n\nRun `./keycloak-setup.sh`\n\nThis will create 3 groups with 4 users having specific RBAC permissions:\n\n| Group           | User     | Cluster Permission              |\n|-----------------|----------|---------------------------------|\n| kube-dev        | dev1     | view role on namespace `app`    |\n| kube-dev        | dev2     | view role on namespace `app`    |\n| kube-dev-lead   | dev-lead | edit role on namespace `app`    |\n| kube-manager    | manager  | view role on cluster            |\n| kube-admin      | admin1   | admin role on cluster           |\n\n## Configure Keycloak\n\nRun: `terraform init \u0026\u0026 terraform apply -auto-approve`\n\n## Install Headlamp UI\n\nRun: `./headlamp-setup.sh`\n\n## Configure kubectl (Install kube-oidc Plugin First)\n\nRun `./kubectl-oidc.sh`\n\nThis will set the current context to `oidc-client` on the `kind-kind` cluster.\n\n## Testing\n\n### User: manager\n\n1. Run `kubectl get po -A`\n\n2. In the opened browser, enter credentials:\n   - Username: `manager`\n   - Password: `manager`\n\n   ![manager login](images/image.png)\n\n3. Attempt to create a pod (should be forbidden):\n\n   ![pod creation forbidden](images/image-1.png)\n\n### User: dev-lead\n\n1. Clean previous session: `kubectl oidc-login clean`\nDon't forget to logout from Keycloak.\n\n2. Enter credentials:\n\n   - Username: `dev-lead`\n   - Password: `dev-lead`\n\n3. Run `kubectl get po -A`:\n\n    ![dev-lead cluster view](images/image-2.png)\n\n    `dev-lead` doesn't have permission to list pods in all namespaces.\n\n4. List pods in `app` namespace: kubectl get po -n app\n    ![dev-lead namespace view](images/image-3.png)\n\n5. Create a new pod in `app` namespace: `kubectl run nginx2 --image nginx -n app`\n\n    ![dev-lead pod creation](images/image-4.png)\n\n    `dev-lead` has permission to run pods as expected.\n\n### User: dev1\n\n1. Clean previous session: `kubectl oidc-login clean`\n\n    Don't forget to logout from Keycloak.\n\n2. Enter credentials:\n\n   - Username: `dev1`\n   - Password: `dev1`\n\n3. List pods in `app` namespace: `kubectl get po -n app`\n    ![dev1 namespace view](images/image-5.png)\n\n    User can list pods in namespace `app`.\n\n4. Attempt to create a pod in `app` namespace (should be forbidden):\n\n    ![dev1 pod creation forbidden](images/image-6.png)\n\nUser can't create pods in namespace `app` as expected.\n\n## Testing Headlamp UI\n\n1. Go to `https://console.kind.cluster`\n    Don't forget to logout from Keycloak.\n\n2. Enter credentials:\n\n   - Username: `admin1`\n   - Password: `admin1`\n\n3. Got access to cluster as cluster admin\n\n![alt text](images/image-7.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frandsw%2Fkubernetes-keycloak-oidc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frandsw%2Fkubernetes-keycloak-oidc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frandsw%2Fkubernetes-keycloak-oidc/lists"}