Installation on AKS about skooner HOT 6 CLOSED

hey @Elexy. Sorry you're having issues.

The "no RBAC policy matched" is actually misleading. At startup, the server attempts to call one of the authentication apis as a non-authenticated user, just to make sure the api exists. I really need to remove (or improve) that logging as it clearly leads to confusion.

As to why you're not able to login, that last line looks like you're token is returning a 401 when calling the selfsubjectaccessreviews. Can you verify that the token you're using is correct? If it is, we'll have to dig in a bit more to figure out what's going on.

from skooner.

@Elexy Were you able to verify that the token was valid? What can I do to help?

from skooner.

I tried the same setup again from scratch and now it works! Must have been a case of fat fingers
Thanks and awesome work!

from skooner.

When I run it through port-forward the token works:

[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectaccessreviews -> https://noise-dns-eea9be65.hcp.eastus.azmk8s.io:443
POST /apis/authorization.k8s.io/v1/selfsubjectaccessreviews 201

but running it through kubectl proxy auth with the same token fails.

[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectaccessreviews -> https://noise-dns-eea9be65.hcp.eastus.azmk8s.io:443
POST /apis/authorization.k8s.io/v1/selfsubjectaccessreviews 401

p.s. the websockets connection seems to fail with the port-forward

from skooner.

Thanks for chasing down those details. Based on this link (kubernetes/kubernetes#38775) it seems that kubectl proxy strips the Authorization header.

From that link:

this is working as expected. "proxying" through the apiserver will not get you standard proxy behavior (preserving Authorization headers end-to-end), because the API is not being used as a standard proxy

So unfortunately, it doesn't sound like it's possible to support using k8dash view kubectl proxy

from skooner.

@herbrandson Thanks for that.

from skooner.