Comments (13)
herbrandson
commented on July 4, 2024
Sorry to hear you're having issues @menardorama. Let me see if I can help. A couple quick question:
- How are you trying to access k8dash? We just discovered that using something like
kubectl proxydoesn't work for k8dash becausekubectl proxywill strip offAuthorizationheaders. - If you try using k8dash w/o OIDC configured at all, are you able to log in using a token?
from skooner.
menardorama
commented on July 4, 2024
Hi thanks for the quick reply
We are using a reverse proxy in order to handle incoming traffic (https://traefik.io/) so no kubctl stuff here.
We are using the same sort of setup for legacy kubernetes dashboard or grafana (with generic_oauth auth mechanism).
Is there a debug option available ? I tried to set NODE_ENV variable to something else than production but it does'nt increase log verbosity
Using token auth is working correctly, I would need more output on the k8dash side
from skooner.
herbrandson
commented on July 4, 2024
Ok. The best place to grab more detailed error info is actually in the networking tab of the browser. Would you mind grabbing the response of the failing call and posting it here?
from skooner.
menardorama
commented on July 4, 2024
Hi sure
the response is unauthorized
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
I maight be missing something, I am correctly authenticated it's working on others OIDC apps...
from skooner.
linuxshokunin
commented on July 4, 2024
@menardorama
Are you accessing a user with cluster-admin privilege?
It looks like only cluster-admin can access k8dash.
from skooner.
herbrandson
commented on July 4, 2024
Can you confirm that Traefik isn't configured to strip Authorization headers?
Also, can you confirm which network call that above response is for (i.e. which url) and also the request and response headers?
from skooner.
herbrandson
commented on July 4, 2024
Hey @menardorama. I just wanted to follow up and see if you were still working on resolving this issue. I've recently pushed some updates that add a new server side environment variable named DEBUG_VERBOSE. If set, it will add some additional logging to failed api calls that I think might help track down the issue.
from skooner.
menardorama
commented on July 4, 2024
Hi
Sorry for the looong delay
still got the same error with debug output, I hope it can help
OIDC_URL: https://keycloak.mycompany.com/auth/realms/k8s
[HPM] Proxy created: / -> https://172.16.0.1:443
[HPM] Subscribed to http-proxy events: [ 'error', 'proxyRes', 'close' ]
Server started
Version Info: {
"major": "1",
"minor": "13",
"gitVersion": "v1.13.2",
"gitCommit": "cff46ab41ff0bb44d8584413b598ad8360ec1def",
"gitTreeState": "clean",
"buildDate": "2019-01-10T23:28:14Z",
"goVersion": "go1.11.4",
"compiler": "gc",
"platform": "linux/amd64"
}
Available APIs: [
"admissionregistration.k8s.io/v1beta1",
"apiextensions.k8s.io/v1beta1",
"apiregistration.k8s.io/v1",
"apps/v1",
"authentication.k8s.io/v1",
"authorization.k8s.io/v1",
"autoscaling/v1",
"batch/v1",
"certificates.k8s.io/v1beta1",
"coordination.k8s.io/v1beta1",
"crd.projectcalico.org/v1",
"events.k8s.io/v1beta1",
"extensions/v1beta1",
"kubeless.io/v1beta1",
"metrics.k8s.io/v1beta1",
"monitoring.coreos.com/v1",
"networking.k8s.io/v1",
"policy/v1beta1",
"rbac.authorization.k8s.io/v1",
"scheduling.k8s.io/v1beta1",
"storage.k8s.io/v1",
"velero.io/v1"
]
GET / 304
GET /static/css/2.7b1d7de3.chunk.css 304
GET /static/css/main.0201163a.chunk.css 304
GET /static/js/2.9cf5441d.chunk.js 304
GET /static/js/main.94692243.chunk.js 304
GET /manifest.json 304
GET /favicon.ico 200
GET /logo.png 304
GET /oidc 200
GET /?state=14951f65-33e3-4906-ad19-fbdaf85e1047&session_state=916f0463-3131-4d08-aa8a-11c0d7ddcd63&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..WXncMeHQhkiGVvktYC7Q7Q.YqwftwHb9-qUlwaMUv_dwekEdMW8mzulzhWduVe0L7XTO89zMYWbhSQZ2hoknFGxrtB5EZSL1SbVInIVw8ZfJ3z1qKHvKjCjsugreDakTyVDnJRNWRZPQ3YIZr4DYsWhCbPQ-iZ9e7VAUMmXaH9I_X6eIhnRBJpWJ3uP8llfknAiUCmaSuQBp3nWDtfG9-XkvEvnGCoEai8RStKtruwmki9WClIBS7LwC4DSdUofZeSJ4nnORIqvMTCLRFEeXFbB.NjsZi7dMMj35LRma4rsOzA 200
GET /static/css/2.7b1d7de3.chunk.css 304
GET /static/css/main.0201163a.chunk.css 304
GET /static/js/2.9cf5441d.chunk.js 304
GET /static/js/main.94692243.chunk.js 304
GET /manifest.json 304
GET /logo.png 304
POST /oidc 200
[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectaccessreviews -> https://172.16.0.1:443
VERBOSE REQUEST POST http k8dash.mycompany.cloud /apis/authorization.k8s.io/v1/selfsubjectaccessreviews { host: 'k8dash.mycompany.cloud',
'user-agent':
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36',
'content-length': '34',
accept: 'application/json',
'accept-encoding': 'gzip, deflate, br',
'accept-language': 'fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7',
authorization:
'Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJIZ1VoSXB4RXlQeTBKbVdWa01HaWNLOGhKajljR2o1T1VDY2pnX05ILVBZIn0.eyJqdGkiOiJmYTkxNDk4YS0xZjljLTQzMGYtYmFjNi05NGQyZmFkOTA1MWQiLCJleHAiOjE1NTc0OTUwMTQsIm5iZiI6MCwiaWF0IjoxNTU3NDc3MDE0LCJpc3MiOiJodHRwczovL2tleWNsb2FrLnBhc3RldXIuZnIvYXV0aC9yZWFsbXMvazhzIiwiYXVkIjoiazhkYXNoIiwic3ViIjoiODE0MjhkMmItZDFhNy00MGI2LTkyMzctZjg4MDllMDhhYWZiIiwidHlwIjoiSUQiLCJhenAiOiJrOGRhc2giLCJhdXRoX3RpbWUiOjE1NTc0NzY2MDcsInNlc3Npb25fc3RhdGUiOiI5MTZmMDQ2My0zMTMxLTRkMDgtYWE4YS0xMWMwZDdkZGNkNjMiLCJhY3IiOiIwIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImVtYWlsIjoidGhvbWFzLm1lbmFyZEBwYXN0ZXVyLmZyIn0.KjJ-rD6lH_kovXRdL97RJNVc70HdctdTm9SXfl-4SuPjoaPbSI8qbxbXSF_vkwNrCgL_k27kdpNdc7Rnl45_Gz-RO3LCGUnSbG4pLPq3lm98SZpKHxBYYC_iMgnAApKG0GJrOEPTO7bQD3CgLULA8bfLRSwaxJn6yZscSUCkKjvAS5KxqHQXk4lImLLmFXUfocSrz6uSsXWK04M4KLnLqPDLRb1JqUsftqPMTVwwAblAo0WUeUEbqv1sRKYuSPKSjniruTQtI_RXix9DNyJ1SLZ2l_cbpYab4Z8AEKonxEYYXG2J3rvF1MQ9SRnz40VNu6E5Ef5VoNa677a4mtYVwg',
'content-type': 'application/json',
origin: 'https://k8dash.mycompany.cloud',
referer: 'https://k8dash.mycompany.cloud/',
'x-forwarded-for': '127.49.11.10',
'x-forwarded-host': 'k8dash.mycompany.cloud',
'x-forwarded-port': '443',
'x-forwarded-proto': 'https',
'x-forwarded-server': 'k8s-03',
'x-real-ip': '127.49.11.10' }
VERBOSE RESPONSE 401 { 'content-type': 'application/json',
date: 'Fri, 10 May 2019 08:30:14 GMT',
'content-length': '165',
connection: 'close' }
POST /apis/authorization.k8s.io/v1/selfsubjectaccessreviews 401
from skooner.
menardorama
commented on July 4, 2024
And for the previous question :
I am a cluster-admin
Got an F5 Big IP in front of traefik ingress controillers
But my setup is working well on all the apps I have deployed (with saml or Oauth...)
from skooner.
menardorama
commented on July 4, 2024
OK.....issue is fixed
Wrong config in keycloak
Sorry to bother you
Seems great so far
from skooner.
herbrandson
commented on July 4, 2024
Hey @menardorama. Thanks for the update! Glad it's working for you now. Please do follow up as you use the app and let me know what features you'd like to see added :)
from skooner.
menardorama
commented on July 4, 2024
For sure.
From what I see access when you are not a cluster admin would be awsome
from skooner.
MrJinggles
commented on July 4, 2024
OK.....issue is fixed
Wrong config in keycloak
Sorry to bother you
Seems great so far
Hi,
could you elaborate how you fixed your issue in keycloak?
I have a similiar issue with keycloak in connection with the apis/authorization.k8s.io/v1/selfsubjectrulesreviews call.
Thanks in advance
from skooner.
Related Issues (20)
- Need to enable https in skooner HOT 4
- Where are the helm charts? HOT 8
- Up and running with oidc via Dex - metrics URLs return 403s HOT 2
- Bug: RAM Request/Limits calculation is incorrect. HOT 1
- Auth Token HOT 7
- OIDC api is failing . Due to internal error
- How to troubleshoot OIDC issues? HOT 2
- Skooner not displaying Deployments HOT 1
- Running skooner with subpath HOT 1
- Does Skooner support OIDC PKCE Auth HOT 3
- Pods: Ready vs Requested should exclude pods in Succeeded state HOT 1
- kubernetes-skooner.yaml does not declare any CPU/RAM request HOT 1
- Can Skooner base path be changed from / ? HOT 2
- Skooner erroring all of a sudden HOT 4
- Add arm64 support HOT 1
- OIDC Login with AzureAD POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401 HOT 4
- Open ID Manifests with `authorization_response_iss_parameter_supported=true` 500's on authorization flows with `iss missing from the response` HOT 4
- Issue with Keycloak and Skooner - fail to login within keycloack 401 HOT 1
- Add ability to perform custom branding
- Upgrade from node 16
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from skooner.