search

int128 / kubelogin

kubectl plugin for Kubernetes OpenID Connect authentication (kubectl oidc-login)
Apache License 2.0
1.74k stars 195 forks source link

Is is possible to have different permissions for different groups? #37

Open grebois opened 5 years ago

grebois commented 5 years ago

I was able to make this work perfectly with OneLogin, it is the same as KeyCloak and has the same idea of groups/scopes, and now I want to set different permissions for different groups using the same client:

My kops configuration looks like this:

    oidcGroupsClaim: groups
    oidcGroupsPrefix: 'oidc:'
    oidcIssuerURL: https://openid-connect.onelogin.com/oidc
    oidcUsernameClaim: email
    oidcUsernamePrefix: 'oidc:'

And my config looks like:

      config:
        client-id: XXXXX
        client-secret: XXXXX
        extra-scopes: profile,groups
        idp-issuer-url: https://openid-connect.onelogin.com/oidc

Yet, with or without the clusterrolebinding, I always get admin access. Am i missing something? How do I know to which user/group is it mapping? How do I get the JWT?

More info: https://www.onelogin.com/blog/changes-to-our-openid-connect-issuer More info: https://developers.onelogin.com/openid-connect/scopes

grebois commented 5 years ago

btw, I notice the same behavior with keycloak, maybe it is like this by design.

grebois commented 5 years ago

The current JWT looks like:

{
  "sub": "51088895",
  "email": "XXXXX",
  "preferred_username": "XXXXX",
  "name": "XXXXX",
  "updated_at": "2019-03-29T13:12:58Z",
  "given_name": "XXXXX",
  "family_name": "XXXXX",
  "groups": "All Users;kube-users",
  "at_hash": "DbcnRZdRDHS55jJZ3izilA",
  "sid": "a4498acd-f510-4eee-bad8-410b18d49340",
  "aud": "c1974fc0-32cc-0137-eaa2-0adb6a3bf7a8133338",
  "exp": 1553872418,
  "iat": 1553865218,
  "iss": "https://openid-connect.onelogin.com/oidc"
}

So I do get the groups back from the auth: "groups": "All Users;kube-users",

but it seams they are not being used

Baykonur commented 5 years ago

You might be missing --oidc-username-prefix=- in your kube-apiserver configuration to disable the prefixing of email in your case. Have a look at here.

grebois commented 5 years ago

Thanks @Baykonur, I changed my kops yaml to:

                            +   oidcUsernamePrefix: '-'
                            -   oidcUsernamePrefix: 'oidc:'

and still get cluster-admin without any clusterrolebinding:

$ kubectl config set-credentials dev.us-east-1.k8s.local  \
  --auth-provider oidc \
  --auth-provider-arg idp-issuer-url=https://openid-connect.onelogin.com/oidc \
  --auth-provider-arg client-id= XXXXX \
  --auth-provider-arg client-secret= XXXXX

$ kubectl get nodes
Unable to connect to the server: No valid id-token, and cannot refresh without refresh-token

$ kubectl login
2019/03/29 16:48:04 Reading ~/.kube/config
2019/03/29 16:48:04 Using current-context: dev.us-east-1.k8s.local
2019/03/29 16:48:06 Open http://localhost:8000 for authorization
2019/03/29 16:48:13 Got token for subject=51088895
2019/03/29 16:48:13 Updated ~/.kube/config

$ kubectl get nodes
NAME                            STATUS   ROLES    AGE   VERSION
ip-172-16-30-203.ec2.internal   Ready    master   39m   v1.11.7
ip-172-16-31-63.ec2.internal    Ready    master   49m   v1.11.7
ip-172-16-32-49.ec2.internal    Ready    master   44m   v1.11.7
ip-172-16-50-11.ec2.internal    Ready    node     1d    v1.11.7
ip-172-16-51-78.ec2.internal    Ready    node     1d    v1.11.7
ip-172-16-52-127.ec2.internal   Ready    node     1d    v1.11.7

how is that possible?

Baykonur commented 5 years ago

Interesting, I would set —v=10 and check the log.

grebois commented 5 years ago

Like this?

$ kubectl login
2019/03/30 03:15:04 Reading ~/.kube/config
2019/03/30 03:15:04 Using current-context: dev.us-east-1.k8s.local
2019/03/30 03:15:05 Open http://localhost:8000 for authorization
2019/03/30 03:15:47 Got token for subject=51088895
2019/03/30 03:15:47 Updated ~/.kube/config

$ kubectl -v=10 get nodes
I0330 03:16:00.055573   19242 loader.go:359] Config loaded from file /Users/grebois/.kube/config
I0330 03:16:00.056910   19242 loader.go:359] Config loaded from file /Users/grebois/.kube/config
I0330 03:16:00.057682   19242 cached_discovery.go:106] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/servergroups.json
I0330 03:16:00.059285   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/storage.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.059312   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/autoscaling/v1/serverresources.json
I0330 03:16:00.059293   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/authorization.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.059762   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/scheduling.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.059793   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/crd.projectcalico.org/v1/serverresources.json
I0330 03:16:00.059395   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/authorization.k8s.io/v1/serverresources.json
I0330 03:16:00.059397   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apiregistration.k8s.io/v1/serverresources.json
I0330 03:16:00.059908   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/batch/v1beta1/serverresources.json
I0330 03:16:00.059486   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apiextensions.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.059494   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/storage.k8s.io/v1/serverresources.json
I0330 03:16:00.059528   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/rbac.authorization.k8s.io/v1alpha1/serverresources.json
I0330 03:16:00.059737   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/autoscaling/v2beta1/serverresources.json
I0330 03:16:00.059753   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apps/v1beta1/serverresources.json
I0330 03:16:00.059552   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/admissionregistration.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.059768   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/policy/v1beta1/serverresources.json
I0330 03:16:00.059520   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/rbac.authorization.k8s.io/v1/serverresources.json
I0330 03:16:00.059853   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/batch/v1/serverresources.json
I0330 03:16:00.059843   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/extensions/v1beta1/serverresources.json
I0330 03:16:00.059843   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apps/v1beta2/serverresources.json
I0330 03:16:00.059869   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/events.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.059907   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apiregistration.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.059478   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/networking.k8s.io/v1/serverresources.json
I0330 03:16:00.059937   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/certificates.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.059938   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apps/v1/serverresources.json
I0330 03:16:00.059982   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/authentication.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.059982   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/v1/serverresources.json
I0330 03:16:00.059989   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/rbac.authorization.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.060021   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/authentication.k8s.io/v1/serverresources.json
I0330 03:16:00.137444   19242 loader.go:359] Config loaded from file /Users/grebois/.kube/config
I0330 03:16:00.139272   19242 cached_discovery.go:106] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/servergroups.json
I0330 03:16:00.139471   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/authentication.k8s.io/v1/serverresources.json
I0330 03:16:00.139500   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apiregistration.k8s.io/v1/serverresources.json
I0330 03:16:00.139589   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apiregistration.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.139605   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/authentication.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.139630   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apps/v1beta1/serverresources.json
I0330 03:16:00.139928   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/storage.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.139944   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/rbac.authorization.k8s.io/v1/serverresources.json
I0330 03:16:00.139693   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/v1/serverresources.json
I0330 03:16:00.139702   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/crd.projectcalico.org/v1/serverresources.json
I0330 03:16:00.139704   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/autoscaling/v1/serverresources.json
I0330 03:16:00.139972   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/storage.k8s.io/v1/serverresources.json
I0330 03:16:00.139994   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/scheduling.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.139743   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/extensions/v1beta1/serverresources.json
I0330 03:16:00.139752   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/events.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.139760   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/authorization.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.139772   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/autoscaling/v2beta1/serverresources.json
I0330 03:16:00.139788   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apps/v1/serverresources.json
I0330 03:16:00.139804   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/batch/v1beta1/serverresources.json
I0330 03:16:00.139816   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/batch/v1/serverresources.json
I0330 03:16:00.139854   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/networking.k8s.io/v1/serverresources.json
I0330 03:16:00.139878   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/certificates.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.139880   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/authorization.k8s.io/v1/serverresources.json
I0330 03:16:00.139910   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/policy/v1beta1/serverresources.json
I0330 03:16:00.139924   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/rbac.authorization.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.139643   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apps/v1beta2/serverresources.json
I0330 03:16:00.139972   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/rbac.authorization.k8s.io/v1alpha1/serverresources.json
I0330 03:16:00.139981   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/admissionregistration.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.139981   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apiextensions.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.140340   19242 cached_discovery.go:106] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/servergroups.json
I0330 03:16:00.140502   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/v1/serverresources.json
I0330 03:16:00.140568   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apiregistration.k8s.io/v1/serverresources.json
I0330 03:16:00.140606   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apiregistration.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.140682   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/extensions/v1beta1/serverresources.json
I0330 03:16:00.140789   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apps/v1/serverresources.json
I0330 03:16:00.140874   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apps/v1beta2/serverresources.json
I0330 03:16:00.140944   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apps/v1beta1/serverresources.json
I0330 03:16:00.141005   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/events.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.141052   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/authentication.k8s.io/v1/serverresources.json
I0330 03:16:00.141091   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/authentication.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.141142   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/authorization.k8s.io/v1/serverresources.json
I0330 03:16:00.141214   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/authorization.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.141280   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/autoscaling/v1/serverresources.json
I0330 03:16:00.141326   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/autoscaling/v2beta1/serverresources.json
I0330 03:16:00.141371   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/batch/v1/serverresources.json
I0330 03:16:00.141416   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/batch/v1beta1/serverresources.json
I0330 03:16:00.141466   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/certificates.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.141525   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/networking.k8s.io/v1/serverresources.json
I0330 03:16:00.141568   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/policy/v1beta1/serverresources.json
I0330 03:16:00.141628   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/rbac.authorization.k8s.io/v1/serverresources.json
I0330 03:16:00.141757   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/rbac.authorization.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.141821   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/rbac.authorization.k8s.io/v1alpha1/serverresources.json
I0330 03:16:00.141865   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/storage.k8s.io/v1/serverresources.json
I0330 03:16:00.141928   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/storage.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.141998   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/admissionregistration.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.142058   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/apiextensions.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.142120   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/scheduling.k8s.io/v1beta1/serverresources.json
I0330 03:16:00.142206   19242 cached_discovery.go:70] returning cached discovery info from /Users/grebois/.kube/cache/discovery/XXXXXXXXXX/crd.projectcalico.org/v1/serverresources.json
I0330 03:16:00.144555   19242 loader.go:359] Config loaded from file /Users/grebois/.kube/config
I0330 03:16:00.144851   19242 round_trippers.go:419] curl -k -v -XGET  -H "Accept: application/json;as=Table;v=v1beta1;g=meta.k8s.io, application/json" -H "User-Agent: kubectl/v1.13.4 (darwin/amd64) kubernetes/c27b913" 'https://internal-api-dev-us-east-1-k8s-loc-lhnsou-1636312697.us-east-1.elb.amazonaws.com/api/v1/nodes?limit=500'
I0330 03:16:00.493391   19242 round_trippers.go:438] GET https://internal-api-dev-us-east-1-k8s-loc-lhnsou-1636312697.us-east-1.elb.amazonaws.com/api/v1/nodes?limit=500 200 OK in 348 milliseconds
I0330 03:16:00.493426   19242 round_trippers.go:444] Response Headers:
I0330 03:16:00.493437   19242 round_trippers.go:447]     Content-Type: application/json
I0330 03:16:00.493446   19242 round_trippers.go:447]     Date: Sat, 30 Mar 2019 02:16:00 GMT
I0330 03:16:00.493454   19242 round_trippers.go:447]     Audit-Id: 87660d29-5818-488d-ab1f-6a53dad3e220
I0330 03:16:00.584163   19242 request.go:942] Response Body: {"kind":"Table","apiVersion":"meta.k8s.io/v1beta1","metadata":{"selfLink":"/api/v1/nodes","resourceVersion":"642123"},"columnDefinitions":[{"name":"Name","type":"string","format":"name","description":"Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names","priority":0},{"name":"Status","type":"string","format":"","description":"The status of the node","priority":0},{"name":"Roles","type":"string","format":"","description":"The roles of the node","priority":0},{"name":"Age","type":"string","format":"","description":"CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata","priority":0},{"name":"Version","type":"string","format":"","description":"Kubelet Version reported by the node.","priority":0},{"name":"Internal-IP","type":"string","format":"","description":"List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses","priority":1},{"name":"External-IP","type":"string","format":"","description":"List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses","priority":1},{"name":"OS-Image","type":"string","format":"","description":"OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)).","priority":1},{"name":"Kernel-Version","type":"string","format":"","description":"Kernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64).","priority":1},{"name":"Container-Runtime","type":"string","format":"","description":"ContainerRuntime Version reported by the node through runtime remote API (e.g. docker://1.5.0).","priority":1}],"rows":[{"cells":["ip-172-16-30-203.ec2.internal","Ready","master","11h","v1.11.7","172.16.30.203","\u003cnone\u003e","Container Linux by CoreOS 2023.5.0 (Rhyolite)","4.19.25-coreos","docker://18.6.1"],"object":{"kind":"PartialObjectMetadata","apiVersion":"meta.k8s.io/v1beta1","metadata":{"name":"ip-172-16-30-203.ec2.internal","selfLink":"/api/v1/nodes/ip-172-16-30-203.ec2.internal","uid":"95b2b653-5234-11e9-89ec-0a66990db678","resourceVersion":"642109","creationTimestamp":"2019-03-29T15:09:01Z","labels":{"beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-east-1","failure-domain.beta.kubernetes.io/zone":"us-east-1a","kops.k8s.io/instancegroup":"master-us-east-1a","kubernetes.io/hostname":"ip-172-16-30-203.ec2.internal","kubernetes.io/role":"master","node-role.kubernetes.io/master":""},"annotations":{"flannel.alpha.coreos.com/backend-data":"{\"VtepMAC\":\"72:c2:e4:ec:d1:d2\"}","flannel.alpha.coreos.com/backend-type":"vxlan","flannel.alpha.coreos.com/kube-subnet-manager":"true","flannel.alpha.coreos.com/public-ip":"172.16.30.203","node.alpha.kubernetes.io/ttl":"0","volumes.kubernetes.io/controller-managed-attach-detach":"true"}}}},{"cells":["ip-172-16-31-63.ec2.internal","Ready","master","11h","v1.11.7","172.16.31.63","\u003cnone\u003e","Container Linux by CoreOS 2023.5.0 (Rhyolite)","4.19.25-coreos","docker://18.6.1"],"object":{"kind":"PartialObjectMetadata","apiVersion":"meta.k8s.io/v1beta1","metadata":{"name":"ip-172-16-31-63.ec2.internal","selfLink":"/api/v1/nodes/ip-172-16-31-63.ec2.internal","uid":"2bb3291d-5233-11e9-9fda-0e376f850c00","resourceVersion":"642110","creationTimestamp":"2019-03-29T14:58:54Z","labels":{"beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-east-1","failure-domain.beta.kubernetes.io/zone":"us-east-1b","kops.k8s.io/instancegroup":"master-us-east-1b","kubernetes.io/hostname":"ip-172-16-31-63.ec2.internal","kubernetes.io/role":"master","node-role.kubernetes.io/master":""},"annotations":{"flannel.alpha.coreos.com/backend-data":"{\"VtepMAC\":\"96:25:67:2c:e7:10\"}","flannel.alpha.coreos.com/backend-type":"vxlan","flannel.alpha.coreos.com/kube-subnet-manager":"true","flannel.alpha.coreos.com/public-ip":"172.16.31.63","node.alpha.kubernetes.io/ttl":"0","volumes.kubernetes.io/controller-managed-attach-detach":"true"}}}},{"cells":["ip-172-16-32-49.ec2.internal","Ready","master","11h","v1.11.7","172.16.32.49","\u003cnone\u003e","Container Linux by CoreOS 2023.5.0 (Rhyolite)","4.19.25-coreos","docker://18.6.1"],"object":{"kind":"PartialObjectMetadata","apiVersion":"meta.k8s.io/v1beta1","metadata":{"name":"ip-172-16-32-49.ec2.internal","selfLink":"/api/v1/nodes/ip-172-16-32-49.ec2.internal","uid":"eb44ef6b-5233-11e9-8dc4-026d191f34f2","resourceVersion":"642114","creationTimestamp":"2019-03-29T15:04:15Z","labels":{"beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-east-1","failure-domain.beta.kubernetes.io/zone":"us-east-1c","kops.k8s.io/instancegroup":"master-us-east-1c","kubernetes.io/hostname":"ip-172-16-32-49.ec2.internal","kubernetes.io/role":"master","node-role.kubernetes.io/master":""},"annotations":{"flannel.alpha.coreos.com/backend-data":"{\"VtepMAC\":\"b6:7b:f2:10:0d:65\"}","flannel.alpha.coreos.com/backend-type":"vxlan","flannel.alpha.coreos.com/kube-subnet-manager":"true","flannel.alpha.coreos.com/public-ip":"172.16.32.49","node.alpha.kubernetes.io/ttl":"0","volumes.kubernetes.io/controller-managed-attach-detach":"true"}}}},{"cells":["ip-172-16-50-11.ec2.internal","Ready","node","2d","v1.11.7","172.16.50.11","\u003cnone\u003e","Container Linux by CoreOS 2023.5.0 (Rhyolite)","4.19.25-coreos","docker://18.6.1"],"object":{"kind":"PartialObjectMetadata","apiVersion":"meta.k8s.io/v1beta1","metadata":{"name":"ip-172-16-50-11.ec2.internal","selfLink":"/api/v1/nodes/ip-172-16-50-11.ec2.internal","uid":"a41b5f6f-50cf-11e9-856a-0255e4ef97de","resourceVersion":"642112","creationTimestamp":"2019-03-27T20:33:55Z","labels":{"beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-east-1","failure-domain.beta.kubernetes.io/zone":"us-east-1a","k8s.info/hasPublicIP":"false","k8s.info/instanceType":"t3.medium","k8s.info/isSpot":"true","kops.k8s.io/instancegroup":"on-demand-zone-a","kubernetes.io/hostname":"ip-172-16-50-11.ec2.internal","kubernetes.io/role":"node","node-role.kubernetes.io/node":"","prod.us-east-1.k8s.local/role":"scale-zero"},"annotations":{"flannel.alpha.coreos.com/backend-data":"{\"VtepMAC\":\"62:6f:33:67:c3:59\"}","flannel.alpha.coreos.com/backend-type":"vxlan","flannel.alpha.coreos.com/kube-subnet-manager":"true","flannel.alpha.coreos.com/public-ip":"172.16.50.11","node.alpha.kubernetes.io/ttl":"0","volumes.kubernetes.io/controller-managed-attach-detach":"true"}}}},{"cells":["ip-172-16-51-78.ec2.internal","Ready","node","2d","v1.11.7","172.16.51.78","\u003cnone\u003e","Container Linux by CoreOS 2023.5.0 (Rhyolite)","4.19.25-coreos","docker://18.6.1"],"object":{"kind":"PartialObjectMetadata","apiVersion":"meta.k8s.io/v1beta1","metadata":{"name":"ip-172-16-51-78.ec2.internal","selfLink":"/api/v1/nodes/ip-172-16-51-78.ec2.internal","uid":"321ac3f5-50d0-11e9-a309-0aeeaf677c6c","resourceVersion":"642121","creationTimestamp":"2019-03-27T20:37:53Z","labels":{"beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-east-1","failure-domain.beta.kubernetes.io/zone":"us-east-1b","k8s.info/hasPublicIP":"false","k8s.info/instanceType":"t3.medium","k8s.info/isSpot":"true","kops.k8s.io/instancegroup":"on-demand-zone-b","kubernetes.io/hostname":"ip-172-16-51-78.ec2.internal","kubernetes.io/role":"node","node-role.kubernetes.io/node":"","prod.us-east-1.k8s.local/role":"scale-zero"},"annotations":{"flannel.alpha.coreos.com/backend-data":"{\"VtepMAC\":\"56:6e:06:91:c1:5c\"}","flannel.alpha.coreos.com/backend-type":"vxlan","flannel.alpha.coreos.com/kube-subnet-manager":"true","flannel.alpha.coreos.com/public-ip":"172.16.51.78","node.alpha.kubernetes.io/ttl":"0","volumes.kubernetes.io/controller-managed-attach-detach":"true"}}}},{"cells":["ip-172-16-52-127.ec2.internal","Ready","node","2d","v1.11.7","172.16.52.127","\u003cnone\u003e","Container Linux by CoreOS 2023.5.0 (Rhyolite)","4.19.25-coreos","docker://18.6.1"],"object":{"kind":"PartialObjectMetadata","apiVersion":"meta.k8s.io/v1beta1","metadata":{"name":"ip-172-16-52-127.ec2.internal","selfLink":"/api/v1/nodes/ip-172-16-52-127.ec2.internal","uid":"ccc0b419-50d0-11e9-9e2a-0eb298e501f0","resourceVersion":"642118","creationTimestamp":"2019-03-27T20:42:13Z","labels":{"beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-east-1","failure-domain.beta.kubernetes.io/zone":"us-east-1c","k8s.info/hasPublicIP":"false","k8s.info/instanceType":"t3.medium","k8s.info/isSpot":"true","kops.k8s.io/instancegroup":"on-demand-zone-c","kubernetes.io/hostname":"ip-172-16-52-127.ec2.internal","kubernetes.io/role":"node","node-role.kubernetes.io/node":"","prod.us-east-1.k8s.local/role":"scale-zero"},"annotations":{"flannel.alpha.coreos.com/backend-data":"{\"VtepMAC\":\"56:77:90:8e:bf:c0\"}","flannel.alpha.coreos.com/backend-type":"vxlan","flannel.alpha.coreos.com/kube-subnet-manager":"true","flannel.alpha.coreos.com/public-ip":"172.16.52.127","node.alpha.kubernetes.io/ttl":"0","volumes.kubernetes.io/controller-managed-attach-detach":"true"}}}}]}
I0330 03:16:00.587468   19242 get.go:563] no kind is registered for the type v1beta1.Table in scheme "k8s.io/kubernetes/pkg/api/legacyscheme/scheme.go:29"
NAME                            STATUS   ROLES    AGE   VERSION
ip-172-16-30-203.ec2.internal   Ready    master   11h   v1.11.7
ip-172-16-31-63.ec2.internal    Ready    master   11h   v1.11.7
ip-172-16-32-49.ec2.internal    Ready    master   11h   v1.11.7
ip-172-16-50-11.ec2.internal    Ready    node     2d    v1.11.7
ip-172-16-51-78.ec2.internal    Ready    node     2d    v1.11.7
ip-172-16-52-127.ec2.internal   Ready    node     2d    v1.11.7
Baykonur commented 5 years ago

Can you confirm I0330 03:16:00.137444 19242 loader.go:359] Config loaded from file /Users/grebois/.kube/config and ~/.kube/config are the same files?

grebois commented 5 years ago

@Baykonur sorry I was a bit slow this week, indeed the file are the same

grebois commented 5 years ago

hey guys, so I manage to make it work but now this happens:

If the jwt return a single group:

{ "sub": "51088895", "email": "XXXXX", "preferred_username": "XXXXX", "name": "XXXXX", "updated_at": "2019-03-29T13:12:58Z", "given_name": "XXXXX", "family_name": "XXXXX", "groups": "kube-users", "at_hash": "DbcnRZdRDHS55jJZ3izilA", "sid": "a4498acd-f510-4eee-bad8-410b18d49340", "aud": "c1974fc0-32cc-0137-eaa2-0adb6a3bf7a8133338", "exp": 1553872418, "iat": 1553865218, "iss": "https://openid-connect.onelogin.com/oidc" }

then this ClusterRoleBinding works:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kube-users
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: Group
    name: kube-users

but with more group it does not, when i get JWT looking like:

{
  ...
  "groups": "All Users;kube-users",
  ...
}

I need to create a ClusterRoleBinding like this:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kube-users
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: Group
    name: "All Users;kube-users"

its like it matched the groups as a string, which I think its very ugly... any ideas?