In our environment, we have deployed Dex as an Identity Provider (IdP) for authentication in various Kubernetes (k8s) clusters. However, we encountered an issue with configuring Dex to account for nested groups. As a workaround, we implemented a solution that assigns groups with automembership. Allow me to explain:
Each k8s cluster has Role-Based Access Control (RBAC) configured, which is associated with four groups retrieved from LDAP via Dex. Consequently, we have the following naming convention:
k8s-cluster-01-l0
k8s-cluster-01-l1
k8s-cluster-01-l2
k8s-cluster-01-l3
Additionally, we have user groups such as:
team-l0
team-l1
team-l2
team-l3
We add users to the appropriate team group based on their entitlements, and subsequently, we associate the team-l* groups with their respective k8s-cluster-01-l* group. This arrangement grants the members of the team-* group specific access rights to the corresponding k8s cluster. However, initially, Dex was only able to recognize the groups that a user was directly a member of. To address this limitation, we implemented automember rules. For example, we created four rules as follows:
k8s-cluster-01-l0 if memberof team-l0
k8s-cluster-01-l1 if memberof team-l1
k8s-cluster-01-l2 if memberof team-l2
k8s-cluster-01-l3 if memberof team-l3
As the number of clusters increased, we ended up with around 52 automember rules following the same pattern for k8s. Now, whenever I need to add a user or modify automember rules and trigger an automember rebuild, even for a small set of users (5-10), FreeIPA experiences a prolonged hang. Eventually, it times out the automember rebuild task, and this lagging behavior extends to all replicas. In light of this situation, I would like to clarify the following:
Is my understanding correct that for each user in this setup, I create 52 automember rebuild tasks?
Is it expected for the system to function this way, or am I using the automember plugin incorrectly? Could it be that the plugin is not intended for such high membership usage?
I would appreciate any insights you can provide to help resolve these concerns.
P.S.: I found a way to make a Dex to see nested groups membership, but for now I'm stuck with this workaround, cause it much harder to conform changes now.