pixel-point / kube-forwarder

Easy to use Kubernetes port forwarding manager
https://kube-forwarder.pixelpoint.io/
MIT License
1.08k stars 184 forks source link

Problem connecting to cluster #25

Open nniikkoollaaii opened 5 years ago

nniikkoollaaii commented 5 years ago

Hello,

I selected my kubeconfig file and kube-forwarder shows the following error message:

"nodes is forbidden: User "system:anonymous" cannot list nodes at the cluster scope"

my kubeconfig file is:

apiVersion: v1
kind: Config
clusters:
- name: caasp
  cluster:
    server: https://my-apiserver:6443
    certificate-authority-data: ...
users:
- name: appenvadmin
  user:
    auth-provider:
      name: oidc
      config:
        client-id: velum
        client-secret: ...
        extra-scopes: groups
        id-token: ...
        idp-certificate-authority-data: ...
        idp-issuer-url: https://my-apiserver:32000
        refresh-token: ...
contexts:
- name: caasp-appenvadmin
  context:
    cluster: caasp
    user: appenvadmin
current-context: caasp-appenvadmin

Auth backend is Dex. Kube-Forwarder Version 1.4.2 on Windows

Is there a problem using Kubernetes OIDC Auth?

Thanks for any help!

proAlexandr commented 5 years ago

Hi @nniikkoollaaii, It looks like an issue with the cluster's configuration or a connection configuration. Have you tried to connect to the cluster using kubectl with the same config? Most likely it's not a Kube Forwarder's issue, but if kubectl works, we will investigate it further.

nniikkoollaaii commented 5 years ago

Hi @proAlexandr ,

the command kubectl get pods --kubeconfig .\my-kubeconfig works. So I don't think there is a problem with my connection configuration.

Further investigation would be nice. Thanks!

rlopez4 commented 5 years ago

I'm having a similar problem with oidc auth-provider. I am able to connect via kubectl but not through kube-forwarder.

merktassel commented 4 years ago

I'm experiencing a similar problem with OIDC. Commands like kubectl --context=dev port-forward foobar work fine, but Kube Forwarder displays "Unauthorized" when connecting:

Screen Shot 2019-11-04 at 4 20 04 PM
nbusseneau commented 4 years ago

+1 on what @merktassel said, I cannot get Kube Forwarder to work with an OIDC authenticator either, it fails with an Unauthorized error. All kubectl commands (e.g. kubectl get ns) work fine, though it should be noted that myuser has restricted rights (is only admin of some namespaces, but cannot manage the cluster itself).

Are there any logs I could inspect?

~/.kube/config

apiVersion: v1
clusters:
- cluster:
    certificate-authority: [redacted]
    server: [redacted]
  name: mycluster
contexts:
- context:
    cluster: mycluster
    user: myuser
  name: mycontext
current-context: mycontext
kind: Config
preferences: {}
users:
- name: myuser
  user:
    auth-provider:
      config:
        client-id: [redacted]
        client-secret: [redacted]
        id-token: [redacted]
        idp-issuer-url: [redacted]
        refresh-token: [redacted]
      name: oidc

Kube Forwarder

8gDrT7IHh9

astrixj commented 4 years ago

Hi,

Any news on this, we are facing the same issue. when clicking on add new cluster we got an error , failed to connect , do you want continue saving ?

we are able to run port-forward via the terminal.

Any idea? any workaround ?

Thanks Ben

trendsoa commented 3 years ago

same issue here with OIDC authenticator enabled cluster

chris-clarke-dev commented 3 years ago

There have been some changes to the @kubernetes/client-node package that fix this error. I'm able reproduce a very similar error if I run this sample code using 0.10.2 in separate project:

const k8s = require('@kubernetes/client-node');

const kc = new k8s.KubeConfig();
kc.loadFromDefault();
kc.setCurrentContext('<insert a context relevant to your environment>');

const k8sApi = kc.makeApiClient(k8s.CoreV1Api);

k8sApi.listNamespacedPod('default').then((res) => {
    console.log(res.body);
}).catch(err => {
  console.log(err.response.body);
});

will produce this response from the API

{
  kind: 'Status',
  apiVersion: 'v1',
  metadata: {},
  status: 'Failure',
  message: 'pods is forbidden: User "system:anonymous" cannot list resource "pods" in API group "" in the namespace "default"',
  reason: 'Forbidden',
  details: { kind: 'pods' },
  code: 403
}

After updating the package I no longer get that error.

There is already a PR (#88) that includes an update to that package, which should fix this bug as well.