I'm using oauth2-proxy/oauth2-proxy with Keycloak-oidc provider for authentication for some pods in my Kubernetes cluster.
I can specify which groups are allowed to access a resource using the --allowed-group argument such as below
- --allowed-group="/vm-users/vm-editors/vm-admins"
Which restricts login to members of the vm-admins group.
But when I set it to /vm-users/vm-editors to login, I'm no longer allowed, as I have an indirect membership to vm-editors (It's set in FreeIPA, the user federation for keycloak, so that members of the vm-admins group are also members of the vm-editors group).
I've tried /vm-users/vm-editors, /vm-users/vm-editors*, /vm-users/vm-editors/*; none of which work.
Is there a way to handle implicit/indirect group membership in this instance?
