-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC Login does not work #11208
Comments
Does it even start like this? I have no idea what you are doing here. It needs to be an actual YAML list and not a string. Also the key is "kube-apiserver-arg":
- "oidc-issuer-url=https://sts.windows.net/4ee07d4d-79a8-4a9e-a038-e7c2e314b532/"
- "oidc-client-id=59237398-07f6-4b9f-925b-8cb0428c4f26"
- "oidc-groups-claim=groups"
- "oidc-groups-prefix=oidc:"
- "oidc-username-claim=upn"
- "oidc-username-prefix=oidc:"
These are notes to take to the upstream project. K3s is a Kubernetes distro; we do not maintain the apiserver or other components ourselves. if you have complaints about how the apiserver behaves, those should be directed to https://github.com/kubernetes/kubernetes/ |
Omg, I'm so sorry. I'm not sure where and how in my setup the "kube-apiserver-arg" key became so messed up. It works now. Closed. |
Environmental Info:
K3s Version:
Node(s) CPU architecture, OS, and Version:
Cluster Configuration:
3 servers, 7 agents
Describe the bug:
I've started the k3s servers with these kubelet args:
I get a new token with
kubectl oidc-login get-token --oidc-issuer-url=https://sts.windows.net/4ee07d4d-79a8-4a9e-a038-e7c2e314b532/ --oidc-client-id=59237398-07f6-4b9f-925b-8cb0428c4f26 --oidc-client-secret=<secret> --force-refresh
I created this cluster-role-binding:
When trying to authenticate against the k8s API with the fetched token I just get:
curl -H "Authorization: Bearer $TOKEN" \ -X GET https://example.com:6443/api --insecure
When looking at the k3s server logs with
journalctl -fu k3s
, I'll just get a generic:Here is the decoded token in JSON Format:
Steps To Reproduce:
Expected behavior:
As I configured everything to be matching, I'd expect to be able to auth myself.
Otherwise, I'd expect that the server logs give me a better error message, i.e. WHAT is wrong with my token.
Actual behavior:
Instead, wasn't able to login and got only generic error message.
Additional context / logs:
Also tried to start k3s with
--debug
but this didn't change the verbosity of the failing authentication.Disclaimer: I changed the UUIDs for privacy reasons.
The text was updated successfully, but these errors were encountered: