nabadger
commented
6 years ago @FuzzOli87 So I would start by looking at the kubeconfig that you have generated.
At this point it's really about that config, Kubernetes, and the Dex server (for refreshing tokens)
So some things to check:
- Confirm you are using the generated config
- Confirm you can reach the
idp-issuer-url - Check that the expected k8s context is in use via
kubectl config get-contexts- if you have multiple contexts (users/clusters) configured, this will tell you what context you're actually using
I would also look at the generated id-token in the kubeconfig file.
It's a JWT token which is comprised of 3 parts separated by .
If you grab the middle component and base64 decode it you should be able to confirm the groups that the user have (this is the same level of information that dex-k8s-authenticator provides you when generate the kubeconfig details).
If that all looks good - you may want to look at your kube-apiserver logs
thiDucTran
Hello,
I've installed both dex and dex-k8s-authenticator to use Google's service to login. The entire flow works however the generated components don't even let me make a request to the API server.
I get the following error: error: You must be logged in to the server (Unauthorized)
I set up my apiServer configurations using KOPS and used the certificate it creates when creating the cluster. Not really sure how to debug this.