Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot run with oidc keycloak #17456

Closed
nicraMarcin opened this issue Oct 22, 2023 · 2 comments
Closed

Cannot run with oidc keycloak #17456

nicraMarcin opened this issue Oct 22, 2023 · 2 comments

Comments

@nicraMarcin
Copy link

What Happened?

I try to run minikube with oidc but I doesn't work

minikube start --driver=kvm2 --embed-certs \
  --extra-config=apiserver.authorization-mode=RBAC \
  --extra-config=apiserver.oidc-issuer-url=https://keycloak.ncrm.local/realms/ncrm \
  --extra-config=apiserver.oidc-username-claim=groups \
  --extra-config=apiserver.oidc-client-id=kube

Attach the log file

logs.txt

Operating System

Ubuntu

Driver

KVM2
@pnasrat
Copy link
Contributor

pnasrat commented Oct 23, 2023

Note I'm just another minikube user starting to look at helping with triage.

This looks similar to the issue in #6061 as per the #6061 (comment) you have to specify all authorization-modes. I'm basing this upon looking at your logs:

W1022 13:24:53.430157    3130 manifests.go:254] the default kube-apiserver authorization-mode is "Node,RBAC"; using "RBAC"

Then from the logs you can see many issues reporting system:kube-scheduler permission errors

* E1022 13:25:00.345699       1 reflector.go:148] pkg/server/dynamic certificates/configmap_cafile_content.go:206: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps "extension-apiserver-authentication" is forbidden: User "system:kube-scheduler" cannot list resource "configmaps" in API group "" in the namespace "kube-system"

Could you try --extra-config=apiserver.authorization-mode=Node,RBAC although that is the default as minikube uses kubeadm as you can see here https://github.com/kubernetes/kubernetes/blob/4b48ab1fdbdeee3568790e44bea55ea719205025/cmd/kubeadm/app/phases/controlplane/manifests.go#L238 you should be able to just run:

minikube start --driver=kvm2 --embed-certs \
  --extra-config=apiserver.oidc-issuer-url=https://keycloak.ncrm.local/realms/ncrm \
  --extra-config=apiserver.oidc-username-claim=groups \
  --extra-config=apiserver.oidc-client-id=kube

@nicraMarcin
Copy link
Author

@pnasrat Thank you, this

--extra-config=apiserver.authorization-mode=Node,RBAC

helped.
I was suggesting with official minikube Official Documentation whats why I set it.
Thanks again.

pnasrat added a commit to pnasrat/minikube that referenced this issue Oct 23, 2023
@pnasrat
Update OIDC tutorial auth modes
e1c48e8 
Make docs reflect needed apiserver auth modes

For context see kubernetes#17456 and kubernetes#6061
@pnasrat pnasrat mentioned this issue Oct 23, 2023
Closed
pnasrat added a commit to pnasrat/minikube that referenced this issue Jan 23, 2024
@pnasrat
Update OIDC tutorial auth modes
196b47e 
Make docs reflect needed apiserver auth modes

For context see kubernetes#17456 and kubernetes#6061
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pnasrat @nicraMarcin