Giters

rancher / rke

Rancher Kubernetes Engine (RKE), an extremely simple, lightning fast Kubernetes distribution that runs entirely within containers.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Keycloak OIDC authentication direct to K8s API not functional

groucho64738 opened this issue · comments

commented

RKE Version: 1.26.9

Issue: In my Rancher managed cluster I'd like to configure the kubernetes cluster itself (not Rancher) to use OIDC authentication against a Keycloak server we have set up. I've configured the cluster YAML to have the OIDC settings:
oidc-client-id: test-cluster
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak-server.example.com/realms/myrealm
oidc-username-claim: email

I'm using kubelogin to test connecting to the api and I'm able to pull a token from keycloak ok, so the authentication to there is working, but when trying to use kubectl I get the browser pop-up for login, enter my username and password and get the ever-useful:

error: You must be logged in to the server (Unauthorized)

Looking at the kube-apiserver logs shows this:
time="2023-11-16T18:50:29Z" level=info msg="Processing v1Authenticate request..."
time="2023-11-16T18:50:29Z" level=error msg="found 1 parts of token"

There was lots of discussion on some groups about this, but really didn't pan out with any useful solutions. One pointed me to the code of the api server which is showing:

https://github.com/rancher/kube-api-auth/blob/1576a0a1d1cf145ed1bb645577beb28fc307cdb4/pkg/service/handlers/v1-kube-api-authn.go#L75 (for example)

	tokenParts := strings.SplitN(authnReq.Spec.Token, ":", 2)
	if len(tokenParts) != 2 {
		return "", "", fmt.Errorf("found %d parts of token", len(tokenParts))
	}
	accessKey := tokenParts[0]
	secretKey := tokenParts[1]
	return accessKey, secretKey, nil
}

I'm not really sure what it's looking for or how to provide it. If there's any other info I can provide, please let me know. Thanks.

commented

This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.