Closed yogesh-reddy closed 1 year ago
Hi @yogesh-reddy, I'm not sure if you are still looking for a solution, but there are two things standing out to me:
First: Your username is prefixed with the issuer URL as you can see from your server error. With your configuration, your user name isn't user@abc.com
(as configured in the RBAC you provided) - it's https://dev-xxx.okta.com/oauth2/default#user@abc.com
. That is a different entity than what your RBAC targets.
If you want to change this, take a look at the --oidc-username-prefix
flag, it describes this behaviour and how to alter it:
--oidc-username-prefix string
If provided, all usernames will be prefixed with this value. If not provided, username claims other than 'email' are prefixed by the issuer URL to avoid clashes. To skip any prefixing, provide the value '-'.
Secondly: If you fix the issue above to bring RBAC and actual user identity in line, you might also need to configure workspace access for your OIDC user entity.
Note: I suspect this is not a bug but "working as intended".
Closing since there has been not a response, please reopen if there is still an issue.
Describe the bug
Started KCP with oidc creds
Provided kubconfig with oidc login creds
name: default-dev-kuard-user user: exec: apiVersion: client.authentication.k8s.io/v1beta1 command: kubectl args:
The request is authorized but we are getting 403 forbidden error
Error from server (Forbidden): services is forbidden: User "https://dev-xxx.okta.com/oauth2/default#user@abc.com" cannot list resource "services" in API group "" in the namespace "default": access denied
Created Roles and Rolebindings for the same
FYI: looked at this issue https://github.com/kcp-dev/kcp/pull/2319 and made sure
preferred_username
is present in claimsSteps To Reproduce
k get svc
Expected Behaviour
listing the services
Additional Context
No response