Comments (10)
Hi when i try to use my oidc (keycloak) with k8dash it doesn't work.
In the pod logs i have:[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://10.96.0.1:443 │ │ POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 403 │ │ GET /favicon.ico 200 │ │ GET /static/js/2.db22b280.chunk.js.map 304 │ │ GET /static/js/main.34226f17.chunk.js.map 304 │ │ GET /static/css/main.0d6d7525.chunk.css.map 304 │ │ GET /static/css/2.b522e268.chunk.css.map 304 │ │ (node:8) UnhandledPromiseRejectionWarning: ReferenceError: next is not defined │ │ at getOidc (/usr/src/app/index.js:79:9) │ │ at processTicksAndRejections (internal/process/task_queues.js:89:5) │ │ (node:8) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was n │ │ ot handled with .catch(). (rejection id: 5) │
and in the browser network tab for the path:
/apis/authorization.k8s.io/v1/selfsubjectrulesreviews
i have the response:{ "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "selfsubjectrulesreviews.authorization.k8s.io is forbidden: User \"system:anonymous\" cannot create resource \"selfsubjectrulesreviews\" in API group \"authorization.k8s.io\" at the cluster scope", "reason": "Forbidden", "details": { "group": "authorization.k8s.io", "kind": "selfsubjectrulesreviews" }, "code": 403 }I don't understand why k8dash use the system:anonymous account.
I use k8s version 1.15.4
I guess you didn't do rbac for you serviceaccount that you use to login. please forgive my poor english.
from skooner.
Hey.
Got the Exact same problem.
It would be good to have some debug information.
I know that this often happens with X509 Self Signed Certfs.
Got it fixed by using a LetsEncrypt cert.
There should be a better error message for helping us understanding.
from skooner.
@JrCs Have you resolved it ?
from skooner.
As a temporary workaround you can set node env var
- name: NODE_TLS_REJECT_UNAUTHORIZED
value: "0"
This make it work but this is not really secure.
A fix to provide a custom RootCa would be great :)
from skooner.
No it's not resolved for me.
from skooner.
Same here for 1.19.7 cluster. It did not work even when I added the binding to cluster-admin
role.
from skooner.
I have exactly the same problem. It works fine with minikube, but in cluster v1.20 it fails. Any chance to find the solution?
from skooner.
Hi guys, could you firstly check your server logs? kubectl logs deploy/skooner --namespace=kube-system
If the beginning of the logs are showing OIDC_URL: None
, and/or that your oidc endpoint e.g. http://skooner.example.com/oidc showing an empty json, this means you need to pass in the correct ENV vars
from skooner.
Same issue from when using OIDC
In server logs
2022-03-21T14:16:34.263Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 403
In UI logs
Incaught (in promise) Error: Api request error: Forbidden - selfsubjectrulesreviews.authorization.k8s.io is forbidden: User "system:anonymous" cannot create resource "selfsubjectrulesreviews" in API group "authorization.k8s.io" at the cluster scope
i tried set the env variable
NODE_TLS_REJECT_UNAUTHORIZE=0
from skooner.
New stable was released and we fixed two pieces of documentation flaws.
Please follow through with the keycloak troubleshooting section and report any issues with a new ticket or reopen this. Thanks!
from skooner.
Related Issues (20)
- Up and running with oidc via Dex - metrics URLs return 403s HOT 2
- Bug: RAM Request/Limits calculation is incorrect. HOT 1
- Auth Token HOT 7
- OIDC api is failing . Due to internal error
- How to troubleshoot OIDC issues? HOT 2
- Skooner not displaying Deployments HOT 1
- Running skooner with subpath HOT 1
- Does Skooner support OIDC PKCE Auth HOT 3
- Pods: Ready vs Requested should exclude pods in Succeeded state HOT 1
- kubernetes-skooner.yaml does not declare any CPU/RAM request HOT 1
- Can Skooner base path be changed from / ? HOT 2
- Skooner erroring all of a sudden HOT 4
- Add arm64 support HOT 1
- OIDC Login with AzureAD POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401 HOT 4
- Open ID Manifests with `authorization_response_iss_parameter_supported=true` 500's on authorization flows with `iss missing from the response` HOT 8
- Issue with Keycloak and Skooner - fail to login within keycloack 401 HOT 1
- Add ability to perform custom branding
- Upgrade from node 16
- Skooner and Glasskube integration
- Claim keycloak groups
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from skooner.