Open batbattur opened 6 months ago
Also noted that the headlamp-admin
token doesn't get generated if the OIDC config is set in headlamp.
cc/ @yolossn
We confirmed that our external dex is working with argocd using https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#existing-oidc-provider so it seems like there's an issue with headlamp.
@batbattur From the response that you have received from the Kubernetes API server (403 Response) looks like you might be missing the Cluster Role binding. Please refer this link for creating a cluster role binding for your group. I think this should help solve the problem.
In our dex connector, we have github with the following config that allows <someorg>:<somegroup>
login:
orgs:
- name: someorg
teams:
- somegroup
Then we have the following Cluster Role binding for the someorg:somegroup
which binds read-only permissions to it.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: read-only
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
subjects:
- kind: Group
name: someorg:somegroup
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: read-only
I thought this should do it. Or does it specifically need a cluster-admin
role?
User \"system:anonymous\" cannot list resource \"events\" in API group \"\" at the cluster scope
Does system:anonymous
mean that it couldn't detect the logged-in user belonging to the github group?
Yes system:anonymous
means the Kubernetes API server couldn't identify the user from the token. From the details that you have already shared the decoded token has the group details in the key groups
and in the screenshot that you have shared the Group claims
value is configured as group
. Can you change it and check?
From the details that you have already shared the decoded token has the group details in the key groups and in the screenshot that you have shared the Group claims value is configured as group. Can you change it and check?
Thank you for the help! Unfortunately even after changing it to groups
in the EKS OIDC config, the same system:anonymous
403
error is still showing up.
We were trying to figure out which component (Headlamp
, or Dex
, or Kubernetes Server Api
) is the issue and tested configuring our Dex
with ArgoCD's oidc and confirmed that it works. If dex
is able to generate and send back the token, does this mean dex
is working properly and the issue might be with Kubernetes API server
and/or Headlamp
?
Headlamp just initiates the login flow, the actual verification of the token is done by the Kubernetes API server, This is a bit weird because the token has the group claims, and the API server is configured with proper group claims. Can you check if a user's authentication works by configuring user claims? I remember a similar issue was reported for Auth0 + EKS.
Can you check if a user's authentication works by configuring user claims?
How can I do this? Sorry, I am fairly new to Kubernetes and OIDC so I am not sure which settings I should be changing.
@batbattur For testing user claims make sure the token contains user specific information like userID and setup the ClusterRoleBinding for that specific userID. So that we can get an idea if this issue is happening specifically for groupClaims in eks.
Description
OIDC: No permissions to list pods. Similar to https://github.com/headlamp-k8s/headlamp/issues/393 and https://github.com/headlamp-k8s/headlamp/issues/1436
Impact
Cannot use headlamp after OIDC login
Environment and steps to reproduce
Set-up:
Then confirmed that logging in through github oauth successfully returns the jwt token (decoded):
Then the
No permissions to list pods
error shows up.Expected behavior
Expected to see cluster details
Additional information
What else should be configured? Any help would be appreciated!