Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix authentication error in system-test #729

Merged
merged 2 commits into from
May 21, 2022
Merged

Fix authentication error in system-test #729

merged 2 commits into from
May 21, 2022

Conversation

int128
Copy link
Owner

@int128 int128 commented May 21, 2022
edited

Problem to solve

# see the setup instruction
kubectl oidc-login setup \
	--oidc-issuer-url=https://dex-server:10443/dex \
	--oidc-client-id=YOUR_CLIENT_ID \
	--oidc-client-secret=YOUR_CLIENT_SECRET \
	--oidc-extra-scope=email \
	--certificate-authority=../cert/ca.crt \
	--browser-command=/home/runner/work/kubelogin/kubelogin/bin/chromelogin
authentication in progress...
08:30:30.446683 main.go:54: location: https://dex-server:10443/dex/auth/local?req=dfeoyatqf2rz6tt4ipa4vhjjp
08:30:30.502648 main.go:89: location: https://dex-server:10443/dex/auth/local?req=dfeoyatqf2rz6tt4ipa4vhjjp [dex]
08:30:30.979216 main.go:89: location: https://dex-server:10443/dex/approval?req=dfeoyatqf2rz6tt4ipa4vhjjp [dex]
08:30:31.133477 main.go:89: location: http://localhost:8000/?code=abqsvbxq3oyzr44eajcnk3poh&state=aEkzzDvpr8YCznEcfK74BJnQoliUIuBAzqvADdEtAoM [Authenticated]

## 2. Verify authentication

You got a token with the following claims:

{
  "iss": "https://dex-server:10443/dex",
  "sub": "CiQwOGE4Njg0Yi1kYjg4LTRiNzMtOTBhOS0zY2QxNjYxZjU0NjYSBWxvY2Fs",
  "aud": "YOUR_CLIENT_ID",
  "exp": 1651998631,
  "iat": 1651912231,
  "nonce": "3khHllIDlWAnTU3SU_-0GBVh7e8uB88f1NpJkc1hdcU",
  "at_hash": "3VMEnmkrPsAPkcUrh21NYw",
  "email": "admin@example.com",
  "email_verified": true
}

## 3. Bind a cluster role

Run the following command:

	kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user='https://dex-server:10443/dex#CiQwOGE4Njg0Yi1kYjg4LTRiNzMtOTBhOS0zY2QxNjYxZjU0NjYSBWxvY2Fs'

## 4. Set up the Kubernetes API server

Add the following options to the kube-apiserver:

	--oidc-issuer-url=https://dex-server:10443/dex
	--oidc-client-id=YOUR_CLIENT_ID

## 5. Set up the kubeconfig

Run the following command:

	kubectl config set-credentials oidc \
	  --exec-api-version=client.authentication.k8s.io/v1beta1 \
	  --exec-command=kubectl \
	  --exec-arg=oidc-login \
	  --exec-arg=get-token \
	  --exec-arg=--oidc-issuer-url=https://dex-server:10443/dex \
	  --exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
	  --exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
	  --exec-arg=--oidc-extra-scope=email \
	  --exec-arg=--certificate-authority=../cert/ca.crt \
	  --exec-arg=--browser-command=/home/runner/work/kubelogin/kubelogin/bin/chromelogin

## 6. Verify cluster access

Make sure you can access the Kubernetes cluster.

	kubectl --user=oidc get nodes

You can switch the default context to oidc.

	kubectl config set-context --current --user=oidc

You can share the kubeconfig to your team members for on-boarding.
# set up the kubeconfig
kubectl config set-credentials oidc \
	--exec-api-version=client.authentication.k8s.io/v1beta1 \
	--exec-command=kubectl \
	--exec-arg=oidc-login \
	--exec-arg=get-token \
	--exec-arg=--oidc-issuer-url=https://dex-server:10443/dex \
	--exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
	--exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
	--exec-arg=--oidc-extra-scope=email \
	--exec-arg=--certificate-authority=../cert/ca.crt \
	--exec-arg=--browser-command=/home/runner/work/kubelogin/kubelogin/bin/chromelogin
User "oidc" set.
# make sure we can access the cluster
kubectl --user=oidc cluster-info
08:30:31.571094 main.go:54: location: https://dex-server:10443/dex/auth/local?req=a4skzc2atscdvn5uymc3ejo6p
08:30:31.587480 main.go:89: location: https://dex-server:10443/dex/auth/local?req=a4skzc2atscdvn5uymc3ejo6p [dex]
08:30:31.871513 main.go:89: location: https://dex-server:10443/dex/approval?req=a4skzc2atscdvn5uymc3ejo6p [dex]
08:30:31.941143 main.go:89: location: http://localhost:8000/?code=cqopifao5dmpn2lcjmukbjed7&state=odjVXVTZHfRCwutamT_FlwuGPuNmSkophGR3VhOGeDg [Authenticated]

error: You must be logged in to the server (Unauthorized)

https://github.com/int128/kubelogin/runs/6333312005?check_suite_focus=true

How to solve

It seems the place of kubeadmConfigPatches has been moved.
https://kind.sigs.k8s.io/docs/user/configuration/#kubeadm-config-patches

@int128
Copy link
Owner Author

int128 commented May 21, 2022 

E0521 04:38:26.233498       1 authentication.go:63] "Unable to authenticate the request" err="invalid bearer token"

@int128 int128 changed the title Show log of kube-apiserver Fix authentication error in system-test May 21, 2022
@int128 int128 marked this pull request as ready for review May 21, 2022 04:56
@int128 int128 merged commit ed723fe into master May 21, 2022
@int128 int128 deleted the fix-authentication-error branch May 21, 2022 04:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@int128