# OIDC users in Authentik group **noble-admins** (claim **groups**) get the same cluster access as the Headlamp
# ServiceAccount binding (**edit**). Requires kube-apiserver **oidc-*** extraArgs (see **talos/talconfig.yaml**).
# If your IdP omits **groups** from the id_token, add a **groups** scope/mapping in Authentik or bind **User** subjects instead.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: headlamp-oidc-noble-admins
  labels:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/component: oidc-rbac
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: noble-admins