## add user to k8s group based on: https://blog.kammel.dev/post/k8s_home_lab_2025_06/ ```bash export GROUP_NAME=k8s_users kanidm group create ${GROUP_NAME} kanidm group add-members ${GROUP_NAME} novakj export OAUTH2_NAME=k8s kanidm system oauth2 create-public ${OAUTH2_NAME} ${OAUTH2_NAME} http://localhost:8000 kanidm system oauth2 add-redirect-url ${OAUTH2_NAME} http://localhost:8000 kanidm system oauth2 update-scope-map ${OAUTH2_NAME} ${GROUP_NAME} email openid profile groups kanidm system oauth2 enable-localhost-redirects ${OAUTH2_NAME} kubectl oidc-login setup \ --oidc-issuer-url=https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s \ --oidc-client-id=k8s kubectl config set-credentials oidc \ --exec-api-version=client.authentication.k8s.io/v1 \ --exec-interactive-mode=Never \ --exec-command=kubectl \ --exec-arg=oidc-login \ --exec-arg=get-token \ --exec-arg="--oidc-issuer-url=https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s" \ --exec-arg="--oidc-client-id=k8s" kubectl create clusterrolebinding oidc-cluster-admin \ --clusterrole=cluster-admin \ --user='https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s#35842461-a1c4-4ad6-8b29-697c5ddbfe84' ``` ## commands ```bash # recover admin password # on the docker host docker exec -i -t kanidmd kanidmd recover-account admin docker exec -i -t kanidmd kanidmd recover-account idm_admin # kanidm mangement commands (could be run on any logged in client) kanidm person credential create-reset-token novakj kanidm person get novakj | grep memberof kanidm group get kanidm group get kanidm group get idm_all_accounts kanidm group get idm_all_persons kanidm group account-policy credential-type-minimum idm_all_accounts any kanidm person get novakj | grep memberof kanidm group get idm_people_self_name_write ``` ## configure oauth proxy ```bash kanidm system oauth2 create oauth2-proxy "OAuth2 Proxy" https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/callback kanidm system oauth2 set-landing-url oauth2-proxy https://oauth2-proxy.lab.home.hrajfrisbee.cz kanidm system oauth2 enable-pkce oauth2-proxy kanidm system oauth2 warning-insecure-client-disable-pkce oauth2-proxy # if proxy doesn't support PKCE kanidm system oauth2 get oauth2-proxy # note the client secret # update incorrect urls if needed remove-redirect-url kanidm system oauth2 add-redirect-url oauth2-proxy https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/callback kanidm system oauth2 set-landing-url oauth2-proxy https://oauth2-proxy.lab.home.hrajfrisbee.cz # output ✔ Multiple authentication tokens exist. Please select one · idm_admin@idm.home.hrajfrisbee.cz --- class: account class: key_object class: key_object_internal class: key_object_jwe_a128gcm class: key_object_jwt_es256 class: memberof class: oauth2_resource_server class: oauth2_resource_server_basic class: object displayname: OAuth2 Proxy key_internal_data: 69df0a387991455f7c9800f13b881803: valid jwe_a128gcm 0 key_internal_data: c5f61c48a9c0eb61ba993a36748826cc: valid jws_es256 0 name: oauth2-proxy oauth2_allow_insecure_client_disable_pkce: true oauth2_rs_basic_secret: hidden oauth2_rs_origin_landing: https://oauth2-proxylab.home.hrajfrisbee.cz/ oauth2_strict_redirect_uri: true spn: oauth2-proxy@idm.home.hrajfrisbee.cz uuid: d0dcbad5-90e4-4e36-a51b-653624069009 secret: 7KJbUe5x35NVCT1VbzZfhYBU19cz9Xe9Z1fvw4WazrkHX2c8 kanidm system oauth2 update-scope-map oauth2-proxy k8s_users openid profile email ``` ```bash docker run -d --name=kanidmd --restart=always \ -p '8443:8443' \ -p '3636:3636' \ --volume /srv/docker/kanidm/data:/data \ docker.io/kanidm/server:latest docker run --rm -i -t -v --restart=always \ -p '8443:8443' \ -p '3636:3636' \ --volume /srv/docker/kanidm/data:/data \ docker.io/kanidm/server:latest \ kanidmd cert-generate ```