Skip to content

oidc setup with keycloak and helm chart issue - events is forbidden: User "system:anonymous" cannot list resource #2969

New issue
New issue
Open
Open
oidc setup with keycloak and helm chart issue - events is forbidden: User "system:anonymous" cannot list resource#2969
Labels
helmRelated to helm and app-catalogkeycloakKeycloak the Identity and Access Management appkind/bugCategorizes issue or PR as related to a bug.
@JalenMak6

Description

@JalenMak6
JalenMak6
opened on Mar 4, 2025

Describe the bug

Hi, thanks for the awesome project and the web UI is nice but I encountered an issue. I was able to deploy OIDC with external keycloak server and have the authentication page when trying to login. However, once I login with my account in keycloak, I could not see anything but getting

You don't have permissions to view this resource
events is forbidden: User "system:anonymous" cannot list resource "events" in API group "" at the cluster scope

I assume the pod is using headlamp-sa account to run and the clusterRole: cluster-admin is attached to the serviceaccount like the clusterrolebinding.

I can create the token and access the cluster information on the dashboard but I would like to integrate with the keycloak authentication and get read-only access to all users like as the 'reference' on web. Currently I want to test with the clusterrolebinding first but it stucks.

I have setup the serviceaccount in the helm values.yml, the values.yml is shown below.

config:
  oidc:
    clientID: "headlamp-dev"
    clientSecret: "ffffffffffffiHmaOIK7ql3h5"
    issuerURL: "https://id.keycloak.com/auth/realms/my-realm"
    scopes: "openid profile email"

serviceAccount:
  create: true              # Create a new service account
  name: headlamp-sa   # The serivce account that the pod will use
clusterRoleBinding:
  # -- Specified whether a cluster role binding should be created
  create: true
  # -- Set name of the Cluster Role with limited permissions from you cluster
  # for example - clusterRoleName: user-ro
  clusterRoleName: cluster-admin


ingress:
  enabled: true
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
  hosts:
    - host: headlamp.dev-k8s.mycluster.abc.com
      paths:
        - path: /
          type: ImplementationSpecific
  tls:
    - secretName: my-wildcard-cert
      hosts:
        - headlamp.dev-k8s.mycluster.abc.com

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi

Could anyone can help me to fix this issue?

Environment (please provide info about your environment):

  • Kubernetes v1.32.2
  • Headlamp Version: latest, 0.29

Are you able to fix this issue?

No

Metadata

Metadata

Assignees

No one assigned

    Labels

    helmRelated to helm and app-catalogkeycloakKeycloak the Identity and Access Management appkind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions