New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect ServiceAccount used for Multi-cluster when using OpenID without RBAC #6308
Comments
Just briefly looking at the proposed fix, that seems correct. @nrfox you are familiar with this stuff - what do you think? |
I also know most of the recent testing done for the Kiali multi-cluster support has been with primary-remote mode. There is going to be work in the future to ensure things work better in multi-primary -- this might be one of those things. |
I was able to see a similar error when I did the following:
I get this
|
I forgot to add it to the initial post, but that's the same stacktrace I was getting, The other error I was getting was along the lines of "Error getting namespaces from cluster ...: Unauthorized" |
@BeryJu this is a bug and thanks for taking the time to investigate and identify a fix for this. The patch you posted looks fine to me since openid auth strategy with rbac disabled uses the kiali service account when communicating with the kube API the same way that anonymous mode does. We should even be able to just return the existing kiali SA client here rather than creating a new one. Would you like to open a PR for this change? |
I'm having similar issue with token strategy. All resources from remote cluster showing unauthorized error. |
@herzcthu the token auth strategy is not supported for multi-cluster since service accounts are scoped to a specific cluster. Only anonymous and openid are currently supported: https://kiali.io/docs/configuration/multi-cluster/#requirements. |
Thanks for pointing out. I misread the documentation. Now I changed it to anonymous and working well. Will change to openid later. |
Hi, I've noticed that in my setup since some time the graphs didn't work and would always just get an "Unauthorised" log message from kiali.
After quite a bit of digging I found this:
I'm using Kiali in a multi-primary multi-cluster istio setup, configured with OpenID authentication with
disable_rbac: true
set. From my understanding of the docs here https://kiali.io/docs/configuration/authentication/openid/#set-up-with-no-namespace-access-control-support, with this flag disabled, the multi-cluster graphs should behave the same as with anonymous authentication, or am I missing something?Excuse the lack of more details in the descriptions, I forgot to take notes while debugging this, let me know if anything is unclear
Testing with a local build, this diff seems to fix the issue, however there's probably a reason the current logic works the way it does
The text was updated successfully, but these errors were encountered: