search

headlamp-k8s / headlamp

A Kubernetes web UI that is fully-featured, user-friendly and extensible
https://headlamp.dev
Apache License 2.0
1.9k stars 141 forks source link

GKE OIDC with Keycloak: "error":"illegal base64 data at input byte 699" - failed to decode payload #1829

Open Le1ns opened 4 months ago

Le1ns commented 4 months ago

Trying to connect headlamp with GKE cluster with oidc by keycloak. I have GKE cluster with oidc auth:

authentication:
  - name: oidc
    oidc:
      clientID: test-kubernetes-client
      cloudConsoleRedirectURI: https://keycloak.example.com/realms/test-kubernetes
      extraParams: resource=token-groups-claim,prompt=consent
      groupPrefix: 'oidc-group:'
      groupsClaim: groups
      issuerURI: https://keycloak.example.com/realms/test-kubernetes
      kubectlRedirectURI: https://localhost:8080/callback
      scopes: openid, email, groups
      userClaim: email
      userPrefix: 'oidc-user:'

By kubectl - all is ok. I deployed headlamp with the same oidc settings:

    clientID: "bbcom-test-kubernetes-client"
    # -- OIDC client secret
    issuerURL: "https://keycloak.example.com/realms/test-kubernetes"
    # -- OIDC scopes to be used
    scopes: "openid,email,groups"

After login as le1ns@example.com - i see error in devtools - 401 and error in console: DevTools:

{
   "kind":"Status",
   "apiVersion":"v1",
   "metadata":{

   },
   "status":"Failure",
   "…"
}"apiVersion":"v1""code":"403
details":{
   "group":"metrics.k8s.io",
   "kind":"nodes"
}"group":"metrics.k8s.io""kind":"nodes""kind":"Status""message":"nodes.metrics.k8s.io is forbidden: User \"system:anonymous\" cannot list resource \"nodes\" in API group \"metrics.k8s.io\" at the cluster scope""metadata":{

}"reason":"Forbidden""status":"Failure"

Console:

{"level":"error","source":"/headlamp/backend/cmd/headlamp.go","line":697,"error":"illegal base64 data at input byte 699","time":"2024-03-20T13:09:04Z","message":"failed to decode payload"}

And if i try to switch to storage or nodes or network bar - i got auth screen: use token or sign in I have correct RBAC with user prefix oidc-user:le1ns@example.com as cluster-admin - i tested by kubectl

So, i have the same error by using kubernetes-dashboard If u can, would be nice if u ll make guid for GKE or helped to solve problem with payload If need, i can say my env in keycloak or gke

joaquimrocha commented 4 months ago

cc/ @yolossn

yolossn commented 3 months ago

Hey @Le1ns The response that you see in Network tab means that the GKE Kubernetes API server isn't able to parse the user/group from the token that is provided by Keycloak. Can you use any tool like jwt.io to check if the token has the required user related fields in it.