Kubernetes Dashboard
This guide walks you through connecting the Kubernetes Dashboard (v7+) to Nauthera so that users can sign in with their Nauthera account instead of using bearer tokens or kubeconfig files.
What you will set up
- OIDC sign-in for the Kubernetes Dashboard via Nauthera
- Group-based access control using Kubernetes RBAC
Prerequisites
- A running Nauthera instance with a reachable issuer URL (e.g.
https://auth.example.com) - Kubernetes Dashboard v7+ deployed in the cluster
- The Kubernetes API server configured to accept Nauthera tokens (see below)
Step 1 — Create the OidcClient
apiVersion: auth.nauthera.io/v1alpha1
kind: OidcClient
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
displayName: Kubernetes Dashboard
redirectUris:
- "https://dashboard.example.com/oauth2/callback"
allowedScopes:
- openid
- profile
- email
- groups
grantTypes:
- authorization_code
- refresh_tokenkubectl apply -f dashboard-oidc-client.yamlStep 2 — Configure the Kubernetes API server
The API server must trust Nauthera as an OIDC issuer. Add these flags to your kube-apiserver configuration:
--oidc-issuer-url=https://auth.example.com
--oidc-client-id=<client-id-from-step-1>
--oidc-username-claim=email
--oidc-groups-claim=groups
--oidc-username-prefix="oidc:"
--oidc-groups-prefix="oidc:"
For managed Kubernetes (EKS, GKE, AKS), consult your provider's OIDC integration documentation.
After restarting the API server, it will validate Nauthera-issued JWTs and extract the email and groups claims for authorization.
Step 3 — Create Kubernetes RBAC bindings
Bind Nauthera groups to Kubernetes roles:
# Cluster admins
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nauthera-cluster-admins
subjects:
- kind: Group
name: "oidc:cluster-admins"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
---
# Developers — read-only cluster-wide, full access in their namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nauthera-developers-view
subjects:
- kind: Group
name: "oidc:developers"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.ioStep 4 — Configure the Dashboard
Helm values (kubernetes-dashboard chart)
# values.yaml
app:
ingress:
enabled: true
hosts:
- dashboard.example.com
tls:
- secretName: dashboard-tls
hosts:
- dashboard.example.com
api:
containers:
args:
- --enable-oidc
- --oidc-issuer-url=https://auth.example.com
- --oidc-client-id=<your-client-id>
- --oidc-client-secret=<your-client-secret>
- --oidc-scope=openid,profile,email,groups
- --oidc-redirect-uri=https://dashboard.example.com/oauth2/callbackStep 5 — Verify
- Open the Dashboard and click Sign in.
- You will be redirected to the Nauthera login page.
- After authentication, the Dashboard should display resources according to your Kubernetes RBAC permissions.
- Users in the
cluster-adminsgroup will see all namespaces and resources;developerswill have read-only access.
Restricting access
Add requiredGroups to the OidcClient to limit who can access the Dashboard:
spec:
requiredGroups:
- cluster-admins
- developersTroubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| "401 Unauthorized" after login | API server doesn't trust Nauthera tokens | Verify --oidc-issuer-url flag on kube-apiserver |
| No resources visible | Missing RBAC bindings | Create ClusterRoleBinding for the user's group |
| Redirect error | Callback URL mismatch | Ensure redirectUris matches the Dashboard's OAuth callback URL |
| Groups not recognized | Prefix mismatch | Ensure RBAC subjects use the oidc: prefix matching --oidc-groups-prefix |
Related
- OidcClient — Full CRD reference
- AuthPolicy — Scope and claim mapping configuration
- User Management — Creating users and groups