Kuberise.io
Platform Tools

Team Setup

Manage Kubernetes RBAC with the team-setup Helm chart using groups and users in `values.yaml`. Integrates with Keycloak for OIDC authentication.

Introduction

The team-setup Helm chart provides a simple way to manage Kubernetes RBAC using groups and users defined in a single values.yaml file. This module also integrates with Keycloak for OIDC-based authentication.

Defining Groups and Users

In the team-setup chart’s values.yaml, you can specify:

  • groups: Namespaces and roles/clusterRoles they can use.
  • users: Assign each user to one or more groups.
values.yaml
groups:
  my-group:
    description: "Example group"
    namespaces:
      - name: dev
        roles:
          - edit

users:
  - username: new.user
    firstName: New
    lastName: User
    email: [email protected]
    groups:
      - my-group

All users, groups and namespaces in this values file will be created in the Kubernetes cluster if they do not already exist. You can use default ClusterRoles like edit, view, admin, cluster-admin, etc., or create custom roles or cluster roles.

Using Keycloak as OIDC Provider

You need to configure your Kubernetes api server to use your Keycloak as OIDC provider. This is a sample configuration for Minikube and onprem platform to point to Keycloak:

Terminal
minikube cp .env/onprem/ca.crt /etc/ssl/certs/keycloak-ca.crt # Copy the Keycloak CA certificate to Minikube

minikube start --ports=80:30080,443:30443 --cpus=max --memory=max \
 --extra-config=apiserver.oidc-issuer-url=https://keycloak.onprem.kuberise.dev/realms/platform \
 --extra-config=apiserver.oidc-client-id=kubernetes \
 --extra-config=apiserver.oidc-username-claim=preferred_username \
 --extra-config=apiserver.oidc-groups-claim=groups \
 --extra-config=apiserver.oidc-ca-file=/etc/ssl/certs/keycloak-ca.crt

You can connect Keycloak to Active Directory, Azure Entra ID, Google, or other identity providers.

Setting Up kubeconfig

  1. Install the kubelogin plugin: 
    brew install int128/kubelogin/kubelogin # macOS
  2. Kuberise.io install.sh script will add the oidc user and context to your kubeconfig:
    ~/.kube/config
    contexts:
  - context:
      cluster: minikube
      namespace: default
      user: oidc
    name: oidc
current-context: oidc
users:
 - name: oidc
   user:
     exec:
       apiVersion: client.authentication.k8s.io/v1beta1
       args:
       - oidc-login
       - get-token
       - --oidc-issuer-url=https://keycloak.onprem.kuberise.dev/realms/platform
       - --oidc-client-id=kubernetes
       - --oidc-client-secret=<client-secret>
       command: kubectl
       env: null
       interactiveMode: IfAvailable
       provideClusterInfo: false

Upon running kubectl commands, it opens the Keycloak login page for authentication. After logging in, commands are executed with the assigned permissions.

MetalLB

MetalLB is a load-balancer implementation for on-prem Kubernetes clusters, using standard routing protocols.

Copyright © 2025. All rights reserved.