## add user to k8s group

based on: https://blog.kammel.dev/post/k8s_home_lab_2025_06/

```bash
export GROUP_NAME=k8s_users
kanidm group create ${GROUP_NAME}
kanidm group add-members ${GROUP_NAME} novakj


export OAUTH2_NAME=k8s
kanidm system oauth2 create-public ${OAUTH2_NAME} ${OAUTH2_NAME} http://localhost:8000
kanidm system oauth2 add-redirect-url ${OAUTH2_NAME} http://localhost:8000
kanidm system oauth2 update-scope-map ${OAUTH2_NAME} ${GROUP_NAME} email openid profile groups
kanidm system oauth2 enable-localhost-redirects ${OAUTH2_NAME}


kubectl oidc-login setup \
  --oidc-issuer-url=https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s \
  --oidc-client-id=k8s



kubectl config set-credentials oidc \
  --exec-api-version=client.authentication.k8s.io/v1 \
  --exec-interactive-mode=Never \
  --exec-command=kubectl \
  --exec-arg=oidc-login \
  --exec-arg=get-token \
  --exec-arg="--oidc-issuer-url=https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s" \
  --exec-arg="--oidc-client-id=k8s"

kubectl create clusterrolebinding oidc-cluster-admin \
  --clusterrole=cluster-admin \
  --user='https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s#35842461-a1c4-4ad6-8b29-697c5ddbfe84'

```
## commands

```bash
# recover admin password
# on the docker host
docker exec -i -t kanidmd  kanidmd recover-account admin
docker exec -i -t kanidmd  kanidmd recover-account idm_admin

# kanidm mangement commands (could be run on any logged in client)
kanidm person credential create-reset-token novakj
kanidm person get novakj | grep memberof
kanidm group get  kanidm group get 
kanidm group get idm_all_accounts
kanidm group get idm_all_persons
kanidm group account-policy credential-type-minimum  idm_all_accounts any
kanidm person get novakj | grep memberof
kanidm group get idm_people_self_name_write
```



```bash

docker run -d --name=kanidmd --restart=always \
  -p '8443:8443' \
  -p '3636:3636' \
  --volume /srv/docker/kanidm/data:/data \
  docker.io/kanidm/server:latest

docker run --rm -i -t -v --restart=always \
  -p '8443:8443' \
  -p '3636:3636' \
  --volume /srv/docker/kanidm/data:/data \
  docker.io/kanidm/server:latest \
  kanidmd cert-generate

```