Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Service Account Token Login #361

Closed
elieassi opened this issue Oct 25, 2022 · 6 comments
Closed

Service Account Token Login #361

elieassi opened this issue Oct 25, 2022 · 6 comments

Comments

@elieassi
Copy link

If your cluster is Kubernetes 1.24 or a more recent release, even tho the clusterrolebinding role is executed correctly, a secret/token will not be automatically generated anymore for the serviceaccount.

You need to create a secret for the service account, the supplied commands plus creating the secret can be all achieved for example by the following file

apiVersion: v1
kind: ServiceAccount
metadata:
  name: skooner-sa
  namespace: skooner-dashboard #whichever namespace you deployed skooner dashboard to
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: skooner-sa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: skooner-sa
  namespace: skooner-dashboard #whichever namespace you deployed skooner dashboard to
---
apiVersion: v1
kind: Secret
metadata:
  name: skooner-sa-token
  namespace: skooner-dashboard #whichever namespace you deployed skooner dashboard to
  annotations:
   kubernetes.io/service-account.name: skooner-sa
type: kubernetes.io/service-account-token
---
@matthiasbaldi
Copy link

I did exactly that and "matched" additionally the ServiceAccount over the secrets attribute to the secret it self.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: skooner-sa
  namespace: skooner-dashboard #whichever namespace you deployed skooner dashboard to
secrets:
  -
    name: skooner-sa-token

But I get still 2022-11-10T16:23:02.110Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 403 in the logs.
Where you able to log in after settings this configuration?

@yuqiuw
Copy link
Collaborator

yuqiuw commented Nov 10, 2022

Hi @matthiasbaldi , I'm actively working on a patch for this issue. Please wait for an hour till I push it.

@matthiasbaldi
Copy link

Oh cool 👍 Thank you.

@yuqiuw
Copy link
Collaborator

yuqiuw commented Nov 10, 2022

Basically could you try create your secret with

kubectl create secret generic skooner \
--from-literal=url=$OIDC_URL \
--from-literal=id=$OIDC_ID \
--from-literal=secret=$OIDC_SECRET \
--namespace=kube-system

Note that you don't need double quote for --from-literal param

Also there's another issue around clusterRole, I'm pushing something to a patch branch...

@yuqiuw
Copy link
Collaborator

yuqiuw commented Nov 10, 2022

OK I pushed this branch #368, it's basically just readme updates with some examples. Feel free to read through it

@yuqiuw
Copy link
Collaborator

yuqiuw commented Nov 10, 2022

Hi @elieassi I included your suggestion in the Readme, thanks for the contribution. @matthiasbaldi new stable was released, please follow the troubleshooting part for keycloak. Please open a new issue if you're still blocked.

@yuqiuw yuqiuw closed this as completed Nov 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matthiasbaldi @elieassi @yuqiuw