search

skooner-k8s / skooner

Simple Kubernetes real-time dashboard and management.
http://skooner.io/
Apache License 2.0
1.33k stars 181 forks source link

OIDC authorization error: 400 bad request #390

Open 07nava opened 1 year ago

07nava commented 1 year ago

Hi All,

Here are the steps in-details,

Followed the mentioned link to install the skooner,

`kind: Deployment apiVersion: apps/v1 metadata: name: skooner namespace: kube-system spec: replicas: 1 selector: matchLabels: k8s-app: skooner template: metadata: labels: k8s-app: skooner spec: containers:

  • name: skooner image: ghcr.io/skooner-k8s/skooner:stable ports:
  • containerPort: 4654 livenessProbe: httpGet: scheme: HTTP path: / port: 4654 initialDelaySeconds: 30 timeoutSeconds: 30 env:
  • name: OIDC_URL valueFrom: secretKeyRef: name: skooner key: url
  • name: OIDC_CLIENT_ID valueFrom: secretKeyRef: name: skooner key: id

  • name: OIDC_SECRET valueFrom: secretKeyRef: name: skooner key: secret nodeSelector: 'beta.kubernetes.io/os': linux

`apiVersion: v1 kind: Service metadata: name: skooner namespace: kube-system annotations: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http service.beta.kubernetes.io/aws-load-balancer-internal: "false" service.beta.kubernetes.io/aws-load-balancer-type: nlb service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:551934631674:certificate/3f4ac15a-3936-4f69-b393-7d257633beb3 spec: ports:

  • port: 80 protocol: TCP targetPort: 4654 selector: k8s-app: skooner sessionAffinity: None type: LoadBalancer``

`OIDC_URL=https://cuserskooner.auth.us-west-2.amazoncognito.com/oauth2/token OIDC_ID= OIDC_SECRET=

kubectl create secret -n kube-system generic skooner \ --from-literal=url=$OIDC_URL \ --from-literal=id=$OIDC_ID \ --from-literal=secret=$OIDC_SECRET`

Pod Error logs, POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://10.100.0.1:4432023-02-07T07:46:03.526Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 403An error occurred during the request OPError: expected 200 OK, got: 400 Bad Request    at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)    at Function.discover (/usr/src/app/node_modules/openid-client/lib/issuer.js:179:18)    at runMicrotasks ()    at processTicksAndRejections (internal/process/task_queues.js:97:5)    at async getOidcProvider (/usr/src/app/index.js:143:20)    at async getOidcEndpoint (/usr/src/app/index.js:132:22)    at async getOidc (/usr/src/app/index.js:80:30) {  error: 'expected 200 OK, got: 400 Bad Request'} GET /oidc

Thanks for reading and supporting. Navamaniraj.M

yuqiuw commented 1 year ago

Not sure about where the issue lies, could you follow the Troubleshooting section in our Readme and attach some screenshots of the errors you saw?

Also make sure your script doesn't end with a `

kubectl create secret -n kube-system generic skooner
--from-literal=url=$OIDC_URL
--from-literal=id=$OIDC_ID
--from-literal=secret=$OIDC_SECRET`
07nava commented 1 year ago

Hi @yuqiuw,

Yes, secret are already in place, and values are not ends with a `

OIDC_URL=https://cuserskooner.auth.us-west-2.amazoncognito.com/oauth2/token OIDC_ID=*** OIDC_SECRET=*** kubectl create secret -n kube-system generic skooner \ --from-literal=url=$OIDC_URL \ --from-literal=id=$OIDC_ID \ --from-literal=secret=$OIDC_SECRET

Screenshot 2023-02-17 at 2 02 03 PM
yuqiuw commented 1 year ago

Could you attach the logs generated on server side by kubectl logs deploy/skooner --namespace=kube-system?

Sorry for the late response, we're also just part-time voluntary maintainers, and I'm recently just too busy with work inside of the team

sateesh4b commented 1 year ago

hi Please find log details

[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://10.100.0.1:443 2023-03-24T13:00:05.923Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 201 **An error occurred during the request OPError: expected 200 OK, got: 403 Forbidden** at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:41:11) at Function.discover (/usr/src/app/node_modules/openid-client/lib/issuer.js:179:18) at runMicrotasks (<anonymous>) at processTicksAndRejections (internal/process/task_queues.js:97:5) at async getOidcProvider (/usr/src/app/index.js:143:20) at async getOidcEndpoint (/usr/src/app/index.js:132:22) at async getOidc (/usr/src/app/index.js:80:30) { error: 'expected 200 OK, got: 403 Forbidden' } GET /oidc

2023-03-24T13:27:45.203Z GET /oidc 500

We added respective clusterrole and cluster bindings as well @yuqiuw Please help on it