gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1a50599cb4306ea6025802802067f9fc586de82f
home-server/talos/runbooks/rbac.md

2.4 KiB
Raw Blame History

Runbook: Kubernetes RBAC (noble)

Headlamp (clusters/noble/bootstrap/headlamp/values.yaml): the charts ClusterRoleBinding uses the built-in edit ClusterRole — not cluster-admin. Break-glass changes use kubectl with an admin kubeconfig.

Headlamp OIDC + kube-apiserver (401 on /clusters/main/version, 200 on /me)
Headlamp sends your IdP JWT to the Kubernetes API. /me is answered by Headlamp; /clusters/.../version is proxied to kube-apiserver. 401 there means authentication failed at the API server (RBAC would normally be 403 after a successful auth). You must:

  1. Roll out Talos control-plane config that sets cluster.apiServer.extraArgs for the same Authentik app as Headlamp — see the second patches entry in talos/talconfig.yaml (oidc-issuer-url, oidc-client-id: headlamp, oidc-username-claim, oidc-groups-claim). After edits: talhelper genconfig -o out, then talosctl apply-config on each control plane (rolling).
  2. Ensure control planes can reach https://auth.apps.noble.lab.pcenicni.dev/... (JWKS / discovery). If that URL is unreachable from nodes, OIDC validation fails.
  3. Apply cluster RBAC for OIDC groups: kubectl apply -k clusters/noble/bootstrap/headlamp (includes oidc-noble-admins-clusterrolebinding.yaml). Your user must be in Authentik group noble-admins and the id_token should carry a groups claim if you rely on that binding.

Quick discovery check (any machine with DNS to Authentik):

curl -fsS "https://auth.apps.noble.lab.pcenicni.dev/application/o/headlamp/.well-known/openid-configuration" | head -c 400; echo

Argo CD (clusters/noble/bootstrap/argocd/values.yaml): policy.default: role:readonly — new OIDC/Git users get read-only unless you add g, <user-or-group>, role:admin (or another role) in configs.rbac.policy.csv. Local user admin stays role:admin via g, admin, role:admin.

Audits

kubectl get clusterrolebindings -o custom-columns='NAME:.metadata.name,ROLE:.roleRef.name,SA:.subjects[?(@.kind=="ServiceAccount")].name,NS:.subjects[?(@.kind=="ServiceAccount")].namespace' | grep -E 'NAME|cluster-admin|headlamp|argocd'

References: Headlamp chart RBAC, Argo CD RBAC.

Reference in New Issue View Git Blame Copy Permalink