AKS v1.16.7 dashboard login not working on Chrome/Firefox #1615
Comments
|
Is anyone looking at above issue? |
|
We're investigating the other related dashboard issues, but I have not encountered this one. I am able to login to the dashboard via chrome on a 1.16.7 cluster. Could you open a support request and share the SR# so we can diagnose the cluster a bit more? cc @robbiezhang |
|
@jluk Hi Justin, We have the exact same problem. The only addition to above use case is that we use PIM. However, following the same procedure with any non-PIM activated admin/user, the provided token allows access to dashboard. Another noticeable event, using the access token of non-PIM user that does not have access, will cause a 401 error in login screen of the dashboard, while PIM enabled users don't even get an error. It just doesn't do anything. Other kubectl command work just fine for PIM activated user tokens. |
|
@nexxbizdev @jluk: I believe this is closely related to this GitHub issue: Issue#2981 The problem is that the token used to authentication can often be too long. This results in a jweToken cookie size which is too large for most browsers to handle. When this occurs the dashboard simply does nothing when you enter a token and click the login button (no error messages). However, when using the browser debugger on FireFox I can see a warning in the console about the jweToken cookie being too large. For some reason I don't see this warning on Chrome but it seems like the same login issue behavior. Also, to some of my points in the original post I believe why the admin account and service accounts may work on Chrome/Firefox is because their auth tokens are much smaller, therefore resulting in a jweToken cookie which is of acceptable size. Also @jluk, I can create a SR but this issue is present in multiple AKS clusters. All clusters which have upgraded to v1.16.7 have this issue (since that version comes with the new dashboard). |
|
I can confirm that the tokens of PIM users we have tested (may have nothing to do with PIM) are indeed larger than 5KB! |
|
I also created a similar post over on the Kubernetes dashboard GitHub after this issue here was stale for a while which can be located here. The suggested solution can be found in this comment by one of the members of the k8s dashboard project. I feel a number of Azure users are going to be running into this issue after upgrading their clusters to v1.16.7. |
|
Action required from @Azure/aks-pm |
|
Issue needing attention of @Azure/aks-leads |
|
Closing as per answer from both AKS team and dashboard contributors on the dahsboard issue. Also AKS just released: https://azure.microsoft.com/en-us/updates/kubernetes-resource-view-is-in-public-preview/ |
ghost
locked as resolved and limited conversation to collaborators
What happened:
After upgrading from AKS v1.15.7 to v1.16.7 the Kubernetes dashboard login is not functioning on Chrome/Firefox web browsers. Note this is related to the new token authentication requirement in the latest dashboard version. After entering a token and attempting to sign in, users are not able to login to the dashboard and no errors are returned indicating login failure (i.e. Forbidden errors). When clicking the login button nothing seems to happen and the browser just stays at the login page. 200 status codes can be seen in browser debugging tools after clicking login button. When entering the same exact token on Microsoft Edge the dashboard logs in as expected!
What you expected to happen:
Kubernetes dashboard is available on Chrome/Firefox in the same manner as it's accessible on Microsoft Edge on AKS v1.16.7.
How to reproduce it (as minimally and precisely as possible):
az account get-access-token --query accessToken -o tsv)Anything else we need to know?:
Environment:
kubectl version): 1.15 (also occurs with latest version 1.18.0)The text was updated successfully, but these errors were encountered: