Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oidc setup with keycloak and helm chart issue - events is forbidden: User "system:anonymous" cannot list resource #2969

Open
JalenMak6 opened this issue Mar 4, 2025 · 0 comments
Open

oidc setup with keycloak and helm chart issue - events is forbidden: User "system:anonymous" cannot list resource #2969

JalenMak6 opened this issue Mar 4, 2025 · 0 comments
Labels
bug Something isn't working helm Related to helm and app-catalog keycloak Keycloak the Identity and Access Management app

Comments

@JalenMak6
Copy link

JalenMak6 commented Mar 4, 2025
edited
Loading

Describe the bug

Hi, thanks for the awesome project and the web UI is nice but I encountered an issue. I was able to deploy OIDC with external keycloak server and have the authentication page when trying to login. However, once I login with my account in keycloak, I could not see anything but getting

You don't have permissions to view this resource
events is forbidden: User "system:anonymous" cannot list resource "events" in API group "" at the cluster scope

I assume the pod is using headlamp-sa account to run and the clusterRole: cluster-admin is attached to the serviceaccount like the clusterrolebinding.

I can create the token and access the cluster information on the dashboard but I would like to integrate with the keycloak authentication and get read-only access to all users like as the 'reference' on web. Currently I want to test with the clusterrolebinding first but it stucks.

I have setup the serviceaccount in the helm values.yml, the values.yml is shown below.

config:
  oidc:
    clientID: "headlamp-dev"
    clientSecret: "ffffffffffffiHmaOIK7ql3h5"
    issuerURL: "https://id.keycloak.com/auth/realms/my-realm"
    scopes: "openid profile email"

serviceAccount:
  create: true              # Create a new service account
  name: headlamp-sa   # The serivce account that the pod will use
clusterRoleBinding:
  # -- Specified whether a cluster role binding should be created
  create: true
  # -- Set name of the Cluster Role with limited permissions from you cluster
  # for example - clusterRoleName: user-ro
  clusterRoleName: cluster-admin


ingress:
  enabled: true
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
  hosts:
    - host: headlamp.dev-k8s.mycluster.abc.com
      paths:
        - path: /
          type: ImplementationSpecific
  tls:
    - secretName: my-wildcard-cert
      hosts:
        - headlamp.dev-k8s.mycluster.abc.com

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi

Could anyone can help me to fix this issue?

Environment (please provide info about your environment):

  • Kubernetes v1.32.2
  • Headlamp Version: latest, 0.29

Are you able to fix this issue?

No
@JalenMak6 JalenMak6 added the bug Something isn't working label Mar 4, 2025
@dosubot dosubot bot added helm Related to helm and app-catalog keycloak Keycloak the Identity and Access Management app labels Mar 4, 2025
@JalenMak6 JalenMak6 changed the title OIDC setup with keycloak and helm chart issue - No Permission even followed the helm chart oidc setup with keycloak and helm chart issue - but No Permission even followed the helm chart Mar 4, 2025
@JalenMak6 JalenMak6 changed the title oidc setup with keycloak and helm chart issue - but No Permission even followed the helm chart oidc setup with keycloak and helm chart issue - events is forbidden: User "system:anonymous" cannot list resource Mar 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working helm Related to helm and app-catalog keycloak Keycloak the Identity and Access Management app
Projects
Release Plan / Roadmap
Status: Queued
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JalenMak6