Unable to login in to the webconsole

[sreejithwpg]

Hi,

When I am trying to access the web console of kubebox(installed on my k8s) using the custom RBAC name and token(base 64 decoded), I am getting the error "authetication failed for http:///master". How can I override the error?

[astefanutti]

By default, when deploying the console with the Kubernetes.yaml, it uses the kubebox ServiceAccount token to authenticate the console to the API server.

It's possible to pass a token, but the username must be left empty in that case, otherwise it uses username/password authentication.

Could you please make sure you do not fill the username field at the same time than the token?

[sreejithwpg]

I have created a custom serviceaccount with limited privileges and attached it to kubebox deployment. But it showing the same authentication error pasted on the above comment. Also, I have supplied the base 64 decoded token manually to the web console but getting the same error

[astefanutti]

Ah ok, my guess would be that the ServiceAccount you've created is a bit too restrictive. They are a couple of requests that Kubebox assumes it's granted permission to perform, like listing the namespaces.

Could you please share the ServiceAccount you use?

[sreejithwpg]

[astefanutti]

I see, it restricts Kubebox permissions to a single namespace. I think it is similar to #71, except it concerns the Web console version. In essence, Kubebox lists the namespaces if no one is set in the current context. And currently, the Web console cannot determine the namespace it's deployed into.

As a work-around, you could try adding a ClusterRole with only the get and list permissions on the namespaces resources.

[sreejithwpg]

How can I avoid listing namespace, is it possible to set default namespace?

[astefanutti]

I don't think it's currently possible to set the default namespace in the Web version. It may be possible to import a kubeconfig file, with the namespace set, as proposed in #71, but I haven't tested it.

It should be possible to either rely on an environment variable, or simply default to the namespace where the console is deployed into.

I propose to keep that issue open until we provide proper support for your use case.

[sreejithwpg]

I have created a custom kubeconfig file with restricted access and configured it into the pod successfully. However, the kubebox is requiring permission for listing all the namespace. Is there any way to disable this and restrict it to a single namespace? My custom kubeconfig is already limiting the access but the kubebox need NS listing access.