Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to login in to the webconsole #120

Open
sreejithwpg opened this issue Mar 8, 2021 · 8 comments
Open

Unable to login in to the webconsole #120

sreejithwpg opened this issue Mar 8, 2021 · 8 comments
Labels
enhancement

Comments

@sreejithwpg
Copy link

Hi,

When I am trying to access the web console of kubebox(installed on my k8s) using the custom RBAC name and token(base 64 decoded), I am getting the error "authetication failed for http:///master". How can I override the error?
kubebox
@astefanutti
Copy link
Owner

By default, when deploying the console with the Kubernetes.yaml, it uses the kubebox ServiceAccount token to authenticate the console to the API server.

It's possible to pass a token, but the username must be left empty in that case, otherwise it uses username/password authentication.

Could you please make sure you do not fill the username field at the same time than the token?

@sreejithwpg
Copy link
Author

I have created a custom serviceaccount with limited privileges and attached it to kubebox deployment. But it showing the same authentication error pasted on the above comment. Also, I have supplied the base 64 decoded token manually to the web console but getting the same error

@astefanutti
Copy link
Owner

Ah ok, my guess would be that the ServiceAccount you've created is a bit too restrictive. They are a couple of requests that Kubebox assumes it's granted permission to perform, like listing the namespaces.

Could you please share the ServiceAccount you use?

@sreejithwpg
Copy link
Author

image

@astefanutti
Copy link
Owner

I see, it restricts Kubebox permissions to a single namespace. I think it is similar to #71, except it concerns the Web console version. In essence, Kubebox lists the namespaces if no one is set in the current context. And currently, the Web console cannot determine the namespace it's deployed into.

As a work-around, you could try adding a ClusterRole with only the get and list permissions on the namespaces resources.

@sreejithwpg
Copy link
Author

How can I avoid listing namespace, is it possible to set default namespace?

@astefanutti
Copy link
Owner

I don't think it's currently possible to set the default namespace in the Web version. It may be possible to import a kubeconfig file, with the namespace set, as proposed in #71, but I haven't tested it.

It should be possible to either rely on an environment variable, or simply default to the namespace where the console is deployed into.

I propose to keep that issue open until we provide proper support for your use case.

@sreejithwpg
Copy link
Author

I have created a custom kubeconfig file with restricted access and configured it into the pod successfully. However, the kubebox is requiring permission for listing all the namespace. Is there any way to disable this and restrict it to a single namespace? My custom kubeconfig is already limiting the access but the kubebox need NS listing access.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@astefanutti @sreejithwpg