kacerr/home-kubernetes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
777772019c7b83040559442c1fa9c24bbd8689c9
home-kubernetes/docker-30/kanidm/readme.md
Jan Novak 777772019c docker-30: kanidm deployment
2026-01-02 23:15:30 +01:00

2.1 KiB
Raw Blame History

add user to k8s group

based on: https://blog.kammel.dev/post/k8s_home_lab_2025_06/

export GROUP_NAME=k8s_users
kanidm group create ${GROUP_NAME}
kanidm group add-members ${GROUP_NAME} novakj


export OAUTH2_NAME=k8s
kanidm system oauth2 create-public ${OAUTH2_NAME} ${OAUTH2_NAME} http://localhost:8000
kanidm system oauth2 add-redirect-url ${OAUTH2_NAME} http://localhost:8000
kanidm system oauth2 update-scope-map ${OAUTH2_NAME} ${GROUP_NAME} email openid profile groups
kanidm system oauth2 enable-localhost-redirects ${OAUTH2_NAME}


kubectl oidc-login setup \
  --oidc-issuer-url=https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s \
  --oidc-client-id=k8s



kubectl config set-credentials oidc \
  --exec-api-version=client.authentication.k8s.io/v1 \
  --exec-interactive-mode=Never \
  --exec-command=kubectl \
  --exec-arg=oidc-login \
  --exec-arg=get-token \
  --exec-arg="--oidc-issuer-url=https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s" \
  --exec-arg="--oidc-client-id=k8s"

kubectl create clusterrolebinding oidc-cluster-admin \
  --clusterrole=cluster-admin \
  --user='https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s#35842461-a1c4-4ad6-8b29-697c5ddbfe84'

commands

# recover admin password
# on the docker host
docker exec -i -t kanidmd  kanidmd recover-account admin
docker exec -i -t kanidmd  kanidmd recover-account idm_admin

# kanidm mangement commands (could be run on any logged in client)
kanidm person credential create-reset-token novakj
kanidm person get novakj | grep memberof
kanidm group get  kanidm group get 
kanidm group get idm_all_accounts
kanidm group get idm_all_persons
kanidm group account-policy credential-type-minimum  idm_all_accounts any
kanidm person get novakj | grep memberof
kanidm group get idm_people_self_name_write


docker run -d --name=kanidmd --restart=always \
  -p '8443:8443' \
  -p '3636:3636' \
  --volume /srv/docker/kanidm/data:/data \
  docker.io/kanidm/server:latest

docker run --rm -i -t -v --restart=always \
  -p '8443:8443' \
  -p '3636:3636' \
  --volume /srv/docker/kanidm/data:/data \
  docker.io/kanidm/server:latest \
  kanidmd cert-generate
Reference in New Issue View Git Blame Copy Permalink