⌂ Home

Corporate LDAP / Active Directory to Kubernetes RBAC Flow

This architecture page shows a practical proof-of-concept for enterprise Kubernetes RBAC using corporate LDAP or Active Directory. The recommended pattern is LDAP-backed identity into an OIDC broker such as Keycloak or Dex, then group claims into the Kubernetes API server, then namespace-aware RBAC with `RoleBinding` and `ClusterRoleBinding`.

Why this pattern works

Kubernetes API server does not directly use LDAP as a native human login method.
An identity bridge converts LDAP users and groups into OIDC token claims.
RBAC then stays clean and native inside Kubernetes.

POC outcome

Corporate users sign in with existing credentials.
Directory groups like `k8s-dev`, `k8s-qa`, and `k8s-admins` become Kubernetes RBAC subjects.
Namespace access is governed centrally without issuing separate user certs per developer.

Identity Source

LDAP / AD

Corporate users and groups stay managed in the enterprise directory.

Bridge

OIDC

Dex or Keycloak transforms directory data into ID tokens with group claims.

Authorization

Native RBAC

Kubernetes enforces access with RoleBinding and ClusterRoleBinding.

Scope

Namespaces

Groups can be segmented cleanly across `dev`, `qa`, `prod`, and cluster admin scope.

Authentication Flow: Token Exchange Sequence

Visual representation of the complete authentication and authorization flow.

Reference Architecture Stack

A realistic POC has five layers.

1. Enterprise Directory

Existing source of truth for people and groups.

LDAP or Microsoft Active Directory
Users, groups, org units
Password policies and lifecycle

>

2. Identity Broker

Looks up users and groups from LDAP.

Dex or Keycloak
LDAP bind and search
Maps directory groups to token claims

>

3. Kubernetes API Server

Trusts the OIDC issuer and validates tokens.

`--oidc-issuer-url`
`--oidc-client-id`
`--oidc-username-claim`
`--oidc-groups-claim`

>

4. Kubernetes RBAC

Maps users and groups to permissions.

Role and RoleBinding per namespace
ClusterRole for cluster-level duties
ClusterRoleBinding for platform admins

>

5. Namespace Workloads

Final access target for teams and administrators.

`dev` namespace deployment access
`qa` namespace read or test access
`prod` namespace tightly controlled

Interactive Request Journey

Choose a view to focus on authentication, group resolution, RBAC decisions, or day-2 operations.

User sign-in and token issuance

Authentication

Developer runs kubectl or dashboard login

>

OIDC broker login page

>

Broker binds to LDAP / AD

>

Successful authentication

The enterprise password stays in the directory layer. Kubernetes never stores or validates the LDAP password itself.

Directory group lookup and claim generation

Group Mapping

LDAP groups: k8s-dev / k8s-qa / k8s-admins

>

OIDC broker maps memberships

>

ID token groups claim

>

kubectl receives token

This is the normalization step. Directory groups become portable claims that Kubernetes RBAC can match.

API server validates token and checks RBAC

Authorization

kubectl sends bearer token

>

API server validates OIDC issuer + audience

>

User + groups extracted

>

RBAC checks RoleBinding / ClusterRoleBinding

Once the token is trusted, authorization is completely native Kubernetes behavior.

Namespace administration outcomes

Operations

k8s-dev group

>

RoleBinding in dev

>

Can deploy and read pods in dev

>

Denied in prod without binding

This is what makes the model scalable for enterprises: add people to groups, not one-off Kubernetes users.

Directory to RBAC Mapping Design

A clean POC uses group-based access instead of individual user bindings wherever possible.

LDAP GroupNamespace

`k8s-dev` -> developer role in `dev`

Lets developers create and update Deployments, Services, Pods, and ConfigMaps in the development namespace only.

LDAP GroupNamespace

`k8s-qa` -> read or test role in `qa`

Supports release validation, log access, and controlled rollout visibility for the QA namespace.

LDAP GroupNamespace

`k8s-prod-ops` -> limited prod operations

Allows rollout inspection, pod restart, and incident triage while keeping broad admin actions tightly constrained.

LDAP GroupCluster

`k8s-admins` -> platform admin role

Reserved for platform engineers who manage namespaces, nodes, storage, policy, and observability.

Namespace Access Model for the POC

This split makes the group-to-namespace intent obvious during demos.

dev

Developer self-service zone

`RoleBinding` subjects: `k8s-dev`, optionally named users for exceptions. Supports build, deploy, and debug workflows.

qa

Validation and release zone

`RoleBinding` subjects: `k8s-qa`, release coordinators, and read-only observers.

prod

Restricted production zone

`RoleBinding` subjects: `k8s-prod-ops`. Avoid broad write access for normal developer groups here.

cluster

Platform administration zone

`ClusterRoleBinding` subjects: `k8s-admins`. Use a custom ClusterRole if full `cluster-admin` is too wide.

POC Build Sequence

These steps are ordered to make the exercise demonstrable with minimal moving parts.

1. Prepare directory groups

Create or identify LDAP groups such as `k8s-dev`, `k8s-qa`, and `k8s-admins`, then add test users.

2. Configure the identity broker

Point Dex or Keycloak at the LDAP server and define bind, search base, and group claim settings.

3. Enable OIDC on the API server

Set issuer URL, client ID, username claim, groups claim, and CA trust.

4. Create Roles and RoleBindings

Bind groups, not individual users, unless you are proving an exception path.

5. Login and verify claims

Use one user from each group, acquire a token, and confirm the identity and groups are visible to Kubernetes.

6. Prove allow and deny paths

Show that users can act only in their mapped namespaces, and that cross-namespace operations are rejected.

Example POC Snippets

These samples are intentionally generic so you can adapt them to Dex, Keycloak, or a similar OIDC bridge.

API server OIDC flags

The API server must trust the issuer and know which claims represent the user and groups.

--oidc-issuer-url=https://sso.example.com/realms/k8s
--oidc-client-id=kubernetes
--oidc-username-claim=email
--oidc-groups-claim=groups
--oidc-ca-file=/etc/kubernetes/pki/oidc-ca.crt

Group-based RoleBinding

This is the core pattern for namespace delegation from enterprise groups.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-team-binding
  namespace: dev
subjects:
- kind: Group
  name: k8s-dev
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer-role
  apiGroup: rbac.authorization.k8s.io

Cluster admin binding

Use sparingly in the POC, or replace with a narrower custom ClusterRole.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: platform-admins
subjects:
- kind: Group
  name: k8s-admins
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

Validation ideas

Use one user per group and test across namespaces to prove isolation.

kubectl auth can-i create deployment -n dev
kubectl auth can-i get pods -n qa
kubectl auth can-i delete namespace prod
kubectl get pods -n prod

Important architecture note

If the exercise is for human enterprise users, an OIDC bridge is usually the cleanest pattern. Direct client certificates for every employee do not scale well for joiner-mover-leaver processes, group management, or self-service governance.