dweller dweller via FreeIPA-users wrote: > In our environment, we have deployed Dex as an Identity Provider (IdP) for > authentication in various Kubernetes (k8s) clusters. However, we encountered > an issue with configuring Dex to account for nested groups. As a workaround, > we implemented a solution that assigns groups with automembership. Allow me > to explain: > > Each k8s cluster has Role-Based Access Control (RBAC) configured, which is > associated with four groups retrieved from LDAP via Dex. Consequently, we > have the following naming convention: > > k8s-cluster-01-l0 > k8s-cluster-01-l1 > k8s-cluster-01-l2 > k8s-cluster-01-l3 > > Additionally, we have user groups such as: > team-l0 > team-l1 > team-l2 > team-l3 > > We add users to the appropriate team group based on their entitlements, and > subsequently, we associate the team-l* groups with their respective > k8s-cluster-01-l* group. This arrangement grants the members of the team-* > group specific access rights to the corresponding k8s cluster. However, > initially, Dex was only able to recognize the groups that a user was directly > a member of. To address this limitation, we implemented automember rules. For > example, we created four rules as follows: > > k8s-cluster-01-l0 if memberof team-l0 > k8s-cluster-01-l1 if memberof team-l1 > k8s-cluster-01-l2 if memberof team-l2 > k8s-cluster-01-l3 if memberof team-l3 > > As the number of clusters increased, we ended up with around 52 automember > rules following the same pattern for k8s. Now, whenever I need to add a user > or modify automember rules and trigger an automember rebuild, even for a > small set of users (5-10), FreeIPA experiences a prolonged hang. Eventually, > it times out the automember rebuild task, and this lagging behavior extends > to all replicas. In light of this situation, I would like to clarify the > following: > > Is my understanding correct that for each user in this setup, I create 52 > automember rebuild tasks?
Not likely. A full rebuild is not triggered on a mod. What does happen will depend on what version of IPA/389-ds-base you have installed. > Is it expected for the system to function this way, or am I using the > automember plugin incorrectly? Could it be that the plugin is not intended > for such high membership usage? Some optimizations have been done. See above. > I would appreciate any insights you can provide to help resolve these > concerns. > > P.S.: I found a way to make a Dex to see nested groups membership, but for > now I'm stuck with this workaround, cause it much harder to conform changes > now. memberof can also be an expensive operation so YMMV. This also depends on the version of IPA and the distribution. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
