For its security, HCI 3.0 utilizes Keycloak, which is an OAuth2 compliant identity and access management software that provides a user management interface and a wide-range of login tools and security features for your Kubernetes environment. Its single sign-on (SSO) capabilities and combined administrative functionality provide a powerful tool when managing your HCI installation.
Realms
Keycloak utilizes a concept known as realms, in which objects such as users, applications, roles, and groups are managed and share the same policies and identity providers. They are isolated spaces, where the same objects can exist but to different capacities. The HCI realm is created during installation and contains all of the roles required to maintain the HCI product.
Clients
Keycloak also utilizes a concept known as clients, which are the applications or services on your Kubernetes cluster which require authentication. Permissions are created as client roles in the HCI-Client, which is also created during installation. These roles follow the same conventions as HCI 2.x (i.e., workflow:ceritificates:read grants users the ability to view workflow certificates).
Clients can be created and managed under the Clients tab.
Roles
Roles are used within Kubernetes to assign and manage access to the resources in your cluster. They define which actions a user can perform on specific resources within a namespace, such as reading, writing, or modifying resources like pods, services, and secrets.
Composite roles
What were previously known as HCI permission groups are now known as Keycloak composite roles. Composite roles can be assigned to a specific user or to an entire group, which then inherit all of the composite roles' associated roles. These roles are passed down to all users or child groups within the assigned group. The appropriate roles must be assigned to a user in order to receive access to the HCI API.
Composite roles can be created and managed under the Roles tab.
Additional help
For more information regarding Keycloak and its full suite of capabilities, refer to the official Keycloak documentation portal: https://www.keycloak.org/documentation