I'm unable to access any part of the portal when using Keycloak integration

[packituz-gttz]

Describe the bug
When using Keycloack integration I can login into the portal but I'm unable to access any of the parts within it, despite being admin. Whenever trying to access Pipelines, Marketplaces or any part of the portal I'm redirected back into the login page.

To Reproduce

What did you do?

I configured Keyclock integration following the documentation: https://docs.kuberocketci.io/docs/operator-guide/auth/platform-auth-model

What did you expect to see?

Be able to access all parts of the portal.

What did you see instead? Under which circumstances?

I'm redirected to login page when trying to access any part inside the portal. I can see requests failing with status 401.

Kubernetes cluster type:
Amazon Elastic Kubernetes
Version 1.29

[MykolaMarusenko]

Hello, is AWS EKS integrated with Keycloak? If so, are you able to use kubelogin to authenticate and access the Kubernetes cluster?

https://docs.kuberocketci.io/docs/operator-guide/auth/configure-keycloak-oidc-eks#kubeconfig

[packituz-gttz]

Hi, thank you for your response, I followed the steps on the link you provided once more and now it's working. Another question how could I modify the permissions on edp-oidc-* groups? For example to enable a developer to create Components. Thanks in advance.

[MykolaMarusenko]

Hi @packituz-gttz !

Glad to hear everything is working now. By default, our platform doesn't grant developers the rights for such actions, but there's no restriction on expanding these permissions. To do so, you just need to follow the general approach. Below are the Kubernetes objects that enable codebase creation. You can add them to your add-ons repository or apply them directly to the cluster in any way that suits you, and further customize as needed.

The process involves creating a new role and binding it to the appropriate group. Keep in mind that it's essential to follow the group naming conventions.

Steps:

1. Create a role that grants permission to create codebases:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tenant-developer-extra
  namespace: {{ .Release.Namespace }}
rules:
  - apiGroups:
      - v2.edp.epam.com
    resources:
      - codebases
    verbs:
      - create

2. Bind the role to the developer group:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tenant-developer-extra
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tenant-developer-extra
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: "{{ .Release.Namespace }}-oidc-developers"

You can also review the platform's RBAC source code for further insights: https://github.com/epam/edp-install/tree/master/deploy-templates/templates/rbac

If you have any further questions or need clarification, feel free to reach out.

[MykolaMarusenko]

You can also create a separate group in Keycloak and establish a dedicated mapping for it. The key is to maintain the complete mapping structure: Keycloak Group → ClusterRoleBinding/RoleBinding → ClusterRole/Role.