kind local cluster OIDC setup windows VM

[tppalani]

I'm running kind cluster in windows Operating system, Just for POC purpose i have optioned Okta CLIEND-ID and Okta Domain to enable to okta login mechanism . while creating cluster i have passed below configuration in yaml as extra api server configuration. But i don't see any effect after creating kind cluster. Even i verified kueb-apiserver.yaml file too but i don't see any configuration when i'm checking inside the container path:

---
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
  - role: control-plane
    image: kindest/node:v1.27.1@sha256:c44686bf1f422942a21434e5b4070fc47f3c190305be2974f91444cd34909f1b
    extraMounts:
    - hostPath: C:/tools/cert.pem
      containerPath: /usr/local/share/ca-certificates/my.crt
    kubeadmConfigPatches:
      - |
        kind: InitConfiguration
        nodeRegistration:
          kubeletExtraArgs:
            node-labels: "ingress-ready=true"
      - |
        apiServer:
          extraArgs:
            runtime-config: "api/all=true"
      - |
        apiServer:
          extraArgs:
            admission-control: "ServiceAccount,NodeRestriction,PodSecurityPolicy,AlwaysAdmit"

      - |
        apiServer:
          extraArgs:
            apiserver.oidc-issuer-url: "https://dev-123456.okta.com/oauth2/default"
            apiserver.oidc-client-id: "ohaja1234mkalLMN"
            apiserver.oidc-username-prefix: "oidc:"
            apiserver.oidc-username-claim: "sub"
            apiserver.oidc-groups-prefix: "oidc:"
            apiserver.oidc-groups-claim: "groups"
    extraPortMappings:
      - containerPort: 80
        hostPort: 80
      - containerPort: 443
        hostPort: 443
      - containerPort: 1111
        hostPort: 1111

cat ./kube/config

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0t...........
    server: https://127.0.0.1:52260
  name: kind-kind
contexts:
- context:
    cluster: kind-kind
    user: kind-kind
  name: kind-kind
current-context: kind-kind
kind: Config
preferences: {}
users:
- name: kind-kind
  user:
    client-certificate-data: LS0t...........
    client-key-data: LS0t...........
- name: oidc-user
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://dev-123456.okta.com/oauth2/default
      - --oidc-client-id=ohaja1234mkalLMN
      - --oidc-extra-scope=groups
      command: kubectl
      env: null
      interactiveMode: IfAvailable
      provideClusterInfo: false

What you expected to happen: OIDC user will pick when i'm running below command

kubectl get pods --user oidc-user

How to reproduce it (as minimally and precisely as possible):

kubectl get pods --user oidc-user
error: unknown command "oidc-login" for "kubectl"
Unable to connect to the server: getting credentials: exec: executable kubectl failed with exit code 1

Anything else we need to know?:

Environment:

• kind version: (use kind version): kind v0.18.0 go1.20.2 windows/amd64

• Runtime info: (use docker info or podman info): $ podman info host: arch: amd64 buildahVersion: 1.33.2 cgroupControllers:

  • cpuset
  • cpu
  • cpuacct
  • blkio
  • memory
  • devices
  • freezer
  • net_cls
  • perf_event
  • net_prio
  • hugetlb
  • pids
  • rdma
  • misc cgroupManager: cgroupfs cgroupVersion: v1 conmon: package: conmon-2.1.8-2.fc39.x86_64 path: /usr/bin/conmon version: 'conmon version 2.1.8, commit: ' cpuUtilization: idlePercent: 98.99 systemPercent: 0.41 userPercent: 0.6 cpus: 12 databaseBackend: sqlite distribution: distribution: fedora variant: container version: "39" eventLogger: journald freeLocks: 2037 hostname: LDD4C6G3 idMappings: gidmap: null uidmap: null kernel: 5.15.133.1-microsoft-standard-WSL2 linkmode: dynamic logDriver: journald memFree: 11759542272 memTotal: 16566603776 networkBackend: netavark networkBackendInfo: backend: netavark dns: package: aardvark-dns-1.9.0-1.fc39.x86_64 path: /usr/libexec/podman/aardvark-dns version: aardvark-dns 1.9.0 package: netavark-1.9.0-1.fc39.x86_64 path: /usr/libexec/podman/netavark version: netavark 1.9.0 ociRuntime: name: crun package: crun-1.12-1.fc39.x86_64 path: /usr/bin/crun version: |- crun version 1.12 commit: ce429cb2e277d001c2179df1ac66a470f00802ae rundir: /run/crun spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL os: linux pasta: executable: /usr/bin/pasta package: passt-0^20231230.gf091893-1.fc39.x86_64 version: | pasta 0^20231230.gf091893-1.fc39.x86_64 Copyright Red Hat GNU General Public License, version 2 or later https://www.gnu.org/licenses/old-licenses/gpl-2.0.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. remoteSocket: exists: true path: /run/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: false seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: false serviceIsRemote: true slirp4netns: executable: /usr/bin/slirp4netns package: slirp4netns-1.2.2-1.fc39.x86_64 version: |- slirp4netns version 1.2.2 commit: 0ee2d87523e906518d34a6b423271e4826f71faf libslirp: 4.7.0 SLIRP_CONFIG_VERSION_MAX: 4 libseccomp: 2.5.3 swapFree: 4294168576 swapTotal: 4294967296 uptime: 28h 52m 6.00s (Approximately 1.17 days) variant: "" plugins: authorization: null log:
  • k8s-file
  • none
  • passthrough
  • journald network:
  • bridge
  • macvlan
  • ipvlan volume:
  • local registries: search:
  • docker.io store: configFile: /usr/share/containers/storage.conf containerStore: number: 2 paused: 0 running: 1 stopped: 1 graphDriverName: overlay graphOptions: overlay.mountopt: nodev,metacopy=on graphRoot: /var/lib/containers/storage graphRootAllocated: 1081101176832 graphRootUsed: 16018919424 graphStatus: Backing Filesystem: extfs Native Overlay Diff: "false" Supports d_type: "true" Supports shifting: "false" Supports volatile: "true" Using metacopy: "true" imageCopyTmpDir: /var/tmp imageStore: number: 12 runRoot: /run/containers/storage transientStore: false volumePath: /var/lib/containers/storage/volumes version: APIVersion: 4.8.3 Built: 1704291100 BuiltTime: Wed Jan 3 19:41:40 2024 GitCommit: "" GoVersion: go1.21.5 Os: linux OsArch: linux/amd64 Version: 4.8.3

• OS (e.g. from /etc/os-release): windows

• Kubernetes version: (use kubectl version): Client Version: v1.28.2 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.27.1

• Any proxies or other special environment settings?: NA

[BenTheElder]

    kubeadmConfigPatches:
      - |
        kind: InitConfiguration
        nodeRegistration:
          kubeletExtraArgs:
            node-labels: "ingress-ready=true"
      - |
        apiServer:
          extraArgs:
            runtime-config: "api/all=true"
      - |
        apiServer:
          extraArgs:
            admission-control: "ServiceAccount,NodeRestriction,PodSecurityPolicy,AlwaysAdmit"

      - |
        apiServer:
          extraArgs:
            apiserver.oidc-issuer-url: "https://dev-123456.okta.com/oauth2/default"
            apiserver.oidc-client-id: "ohaja1234mkalLMN"
            apiserver.oidc-username-prefix: "oidc:"
            apiserver.oidc-username-claim: "sub"
            apiserver.oidc-groups-prefix: "oidc:"
            apiserver.oidc-groups-claim: "groups"

This isn't quite right, your patches except the first one are not targeting any particular object so they're doing nothing.

You can just combine these into one patch, remove the -| lines except the first one and merge the extraArgs into one map

/remove-kind bug /kind support