Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Probleme using OIDC authentification #39

Closed
JrCs opened this issue Sep 24, 2019 · 10 comments
Closed

Probleme using OIDC authentification #39

JrCs opened this issue Sep 24, 2019 · 10 comments

Comments

@JrCs
Copy link

JrCs commented Sep 24, 2019
edited
Loading

Hi when i try to use my oidc (keycloak) with k8dash it doesn't work.
In the pod logs i have:

 [HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://10.96.0.1:443                                                                                                                 │
│ POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 403                                                                                                                                            │
│ GET /favicon.ico 200                                                                                                                                                                                      │
│ GET /static/js/2.db22b280.chunk.js.map 304                                                                                                                                                                │
│ GET /static/js/main.34226f17.chunk.js.map 304                                                                                                                                                             │
│ GET /static/css/main.0d6d7525.chunk.css.map 304                                                                                                                                                           │
│ GET /static/css/2.b522e268.chunk.css.map 304                                                                                                                                                              │
│ (node:8) UnhandledPromiseRejectionWarning: ReferenceError: next is not defined                                                                                                                            │
│     at getOidc (/usr/src/app/index.js:79:9)                                                                                                                                                               │
│     at processTicksAndRejections (internal/process/task_queues.js:89:5)                                                                                                                                   │
│ (node:8) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was n │
│ ot handled with .catch(). (rejection id: 5)                                                                                                                                                               │

and in the browser network tab for the path:
/apis/authorization.k8s.io/v1/selfsubjectrulesreviews i have the response:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "selfsubjectrulesreviews.authorization.k8s.io is forbidden: User \"system:anonymous\" cannot create resource \"selfsubjectrulesreviews\" in API group \"authorization.k8s.io\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "group": "authorization.k8s.io",
    "kind": "selfsubjectrulesreviews"
  },
  "code": 403
}

I don't understand why k8dash use the system:anonymous account.

I use k8s version 1.15.4
@zhixiangjoy
Copy link

Hi when i try to use my oidc (keycloak) with k8dash it doesn't work.
In the pod logs i have:

 [HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://10.96.0.1:443                                                                                                                 │
│ POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 403                                                                                                                                            │
│ GET /favicon.ico 200                                                                                                                                                                                      │
│ GET /static/js/2.db22b280.chunk.js.map 304                                                                                                                                                                │
│ GET /static/js/main.34226f17.chunk.js.map 304                                                                                                                                                             │
│ GET /static/css/main.0d6d7525.chunk.css.map 304                                                                                                                                                           │
│ GET /static/css/2.b522e268.chunk.css.map 304                                                                                                                                                              │
│ (node:8) UnhandledPromiseRejectionWarning: ReferenceError: next is not defined                                                                                                                            │
│     at getOidc (/usr/src/app/index.js:79:9)                                                                                                                                                               │
│     at processTicksAndRejections (internal/process/task_queues.js:89:5)                                                                                                                                   │
│ (node:8) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was n │
│ ot handled with .catch(). (rejection id: 5)                                                                                                                                                               │

and in the browser network tab for the path:
/apis/authorization.k8s.io/v1/selfsubjectrulesreviews i have the response:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "selfsubjectrulesreviews.authorization.k8s.io is forbidden: User \"system:anonymous\" cannot create resource \"selfsubjectrulesreviews\" in API group \"authorization.k8s.io\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "group": "authorization.k8s.io",
    "kind": "selfsubjectrulesreviews"
  },
  "code": 403
}

I don't understand why k8dash use the system:anonymous account.

I use k8s version 1.15.4
I guess you didn't do rbac for you serviceaccount that you use to login. please forgive my poor english.

@SebastienTolron
Copy link

Hey.

Got the Exact same problem.

It would be good to have some debug information.

I know that this often happens with X509 Self Signed Certfs.

Got it fixed by using a LetsEncrypt cert.

There should be a better error message for helping us understanding.

@SebastienTolron
Copy link

@JrCs Have you resolved it ?

@SebastienTolron
Copy link

As a temporary workaround you can set node env var

        - name: NODE_TLS_REJECT_UNAUTHORIZED
          value: "0"

This make it work but this is not really secure.

A fix to provide a custom RootCa would be great :)

@JrCs
Copy link
Author

JrCs commented Mar 5, 2020

No it's not resolved for me.

@rdavyd
Copy link

rdavyd commented Feb 8, 2021

Same here for 1.19.7 cluster. It did not work even when I added the binding to cluster-admin role.

@stieglma stieglma mentioned this issue Feb 25, 2021
Closed
@yuqiuw yuqiuw mentioned this issue Jun 15, 2021
Closed
@sbriskin
Copy link

I have exactly the same problem. It works fine with minikube, but in cluster v1.20 it fails. Any chance to find the solution?

@yuqiuw
Copy link
Collaborator

yuqiuw commented Feb 22, 2022

Hi guys, could you firstly check your server logs? kubectl logs deploy/skooner --namespace=kube-system
If the beginning of the logs are showing OIDC_URL: None, and/or that your oidc endpoint e.g. http://skooner.example.com/oidc showing an empty json, this means you need to pass in the correct ENV vars

@evijayan2
Copy link

Same issue from when using OIDC
In server logs
2022-03-21T14:16:34.263Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 403

In UI logs
Incaught (in promise) Error: Api request error: Forbidden - selfsubjectrulesreviews.authorization.k8s.io is forbidden: User "system:anonymous" cannot create resource "selfsubjectrulesreviews" in API group "authorization.k8s.io" at the cluster scope

i tried set the env variable
NODE_TLS_REJECT_UNAUTHORIZE=0

@yuqiuw
Copy link
Collaborator

yuqiuw commented Nov 10, 2022

New stable was released and we fixed two pieces of documentation flaws.
Please follow through with the keycloak troubleshooting section and report any issues with a new ticket or reopen this. Thanks!

@yuqiuw yuqiuw closed this as completed Nov 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@JrCs @evijayan2 @sbriskin @SebastienTolron @zhixiangjoy @rdavyd @yuqiuw