Here is a graph of the RBAC setup we are going to implement: 1. Setup keycloak We’ll use keycloak to proxy our authentication for all monitors, using a single realm. You may use several realms in real-life situations. This is probably the tough part, and you may tweak heavily the following guide. Moreover, I may forgot to write some instructions, or somes are heavily linked to your very own setup.

Create the realm and the client References   engineering-notes/kubernetes-keycloak-integration.md at master · zufardhiyaulhaq/engineering-notes · GitHub 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 REALM_URL="https://keycloak.{{cluster.baseHostName}}/auth/realms/{{apiServer.realmName}}" # Log in TOKEN_RESPONSE="$(curl \ -d "grant_type=password" \ -d "client_id={{apiServer.clientId}}" \ -d "client_secret={{apiServer.clientSecret}}" \ -d "username=admin-user" \ -d "password=admin-user" \ $REALM_URL/protocol/openid-connect/token)" # Extract the access token ACCESS_TOKEN="$(echo "$TOKEN_RESPONSE" | jq '.

Now that we have our authentication service up and running, we can protect our dashboards installed in the step  06 - Monitoring: See what is going on using our Keycloak OpenID Connect provider. Here is a diagram on how authorization will be managed: Traefik dashboard TODO Kibana TODO Kube dashboard References   Protect Kubernetes Dashboard with OpenID Connect | by Hidetake Iwata | ITNEXT Again, we are going to set up a new instance of  louketo-proxy.