Probleme using OIDC authentification about skooner HOT 10 CLOSED

Hi when i try to use my oidc (keycloak) with k8dash it doesn't work.
In the pod logs i have:

 [HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://10.96.0.1:443                                                                                                                 │
│ POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 403                                                                                                                                            │
│ GET /favicon.ico 200                                                                                                                                                                                      │
│ GET /static/js/2.db22b280.chunk.js.map 304                                                                                                                                                                │
│ GET /static/js/main.34226f17.chunk.js.map 304                                                                                                                                                             │
│ GET /static/css/main.0d6d7525.chunk.css.map 304                                                                                                                                                           │
│ GET /static/css/2.b522e268.chunk.css.map 304                                                                                                                                                              │
│ (node:8) UnhandledPromiseRejectionWarning: ReferenceError: next is not defined                                                                                                                            │
│     at getOidc (/usr/src/app/index.js:79:9)                                                                                                                                                               │
│     at processTicksAndRejections (internal/process/task_queues.js:89:5)                                                                                                                                   │
│ (node:8) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was n │
│ ot handled with .catch(). (rejection id: 5)                                                                                                                                                               │

and in the browser network tab for the path:
/apis/authorization.k8s.io/v1/selfsubjectrulesreviews i have the response:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "selfsubjectrulesreviews.authorization.k8s.io is forbidden: User \"system:anonymous\" cannot create resource \"selfsubjectrulesreviews\" in API group \"authorization.k8s.io\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "group": "authorization.k8s.io",
    "kind": "selfsubjectrulesreviews"
  },
  "code": 403
}

I don't understand why k8dash use the system:anonymous account.

I use k8s version 1.15.4
I guess you didn't do rbac for you serviceaccount that you use to login. please forgive my poor english.

from skooner.

Hey.

Got the Exact same problem.

It would be good to have some debug information.

I know that this often happens with X509 Self Signed Certfs.

Got it fixed by using a LetsEncrypt cert.

There should be a better error message for helping us understanding.

from skooner.

@JrCs Have you resolved it ?

from skooner.

As a temporary workaround you can set node env var

        - name: NODE_TLS_REJECT_UNAUTHORIZED
          value: "0"

This make it work but this is not really secure.

A fix to provide a custom RootCa would be great :)

from skooner.

No it's not resolved for me.

from skooner.

Same here for 1.19.7 cluster. It did not work even when I added the binding to cluster-admin role.

from skooner.

I have exactly the same problem. It works fine with minikube, but in cluster v1.20 it fails. Any chance to find the solution?

from skooner.

Hi guys, could you firstly check your server logs? kubectl logs deploy/skooner --namespace=kube-system
If the beginning of the logs are showing OIDC_URL: None, and/or that your oidc endpoint e.g. http://skooner.example.com/oidc showing an empty json, this means you need to pass in the correct ENV vars

from skooner.

Same issue from when using OIDC
In server logs
2022-03-21T14:16:34.263Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 403

In UI logs
Incaught (in promise) Error: Api request error: Forbidden - selfsubjectrulesreviews.authorization.k8s.io is forbidden: User "system:anonymous" cannot create resource "selfsubjectrulesreviews" in API group "authorization.k8s.io" at the cluster scope

i tried set the env variable
NODE_TLS_REJECT_UNAUTHORIZE=0

from skooner.

New stable was released and we fixed two pieces of documentation flaws.
Please follow through with the keycloak troubleshooting section and report any issues with a new ticket or reopen this. Thanks!

from skooner.