Open irizzant opened 3 years ago
Guard appears to be giving responses in v1 regardless, so with 1.19, you can opt into v1 requests with --authentication-token-webhook-version=v1
argument on the kube-apiserver as a workaround.
Thanks @mattlqx for the hint, I was aware of it anyway. Nevertheless according to the official doc it's still something to be fixed in Guard, since implementors are expected to check the apiVersion on the requests and reply accordingly
I experienced something exactly the same with Kubernetes v1.23.
The kube-api
was returning error something like below:
E0330 11:07:42.378929 1 webhook.go:155] Failed to make webhook authenticator request: the server has asked for the client to provide credentials
E0330 11:07:42.379004 1 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, the server has asked for the client to provide credentials]"
I was able to solve it by adding the --authentication-token-webhook-version=v1
flag on the kube-api
's yaml config file, as @mattlqx mentioned.
But as @irizzant said, I also believe that this is something the Guard should take care of by itself. The current way is just a "hack".
If it's something hard to get added right away, then at least it should be mentioned on the docs.
Hello up to version 0.6.1 I was able to make Guard work with kube 1.18 and our private Gitlab.
After upgrading to 0.7.1 and kube 1.19.7 the authentication does not work anymore.
The apiserver reports
but I verified that the kubeconfig file generated for webhook auth used by the apiserver is the same as the one generated with
Can you please help?
UPDATE: After more tests, I got this error from the apiserver:
Looks like Guard is not replying with the same
TokenReview
version as the request, violating this requirement from the official kubernetes doc: