Logs when Kubernetes OpenID Connect authentication fails
Question
I have tried to set up Kubernetes 1.13 for OpenID Connect (OIDC) authentication as follows:
- installed Keycloak server
- added command line options
--oidc-issuer-url=https://my_keycloak/auth/realms/my_realm, etc., tokube-apiserver - stored id token at
users.user.auth-provider.config.client-id, etc., in kubeconfig'smy_user
From my reading of the documentation kubectl should now be able to access the cluster as my_user . However, kubectl get nodes says:
error: You must be logged in to the server (Unauthorized)
And curl -k https://api_server:6443/api/v2/nodes --header "Authorization: Bearer $id_token" says:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
kubectl logs $kube_apiserver -n kube-system , journalctl -u kubelet.service , and Keycloak's stdout are all silent. So where can I see more logging information to discern where OIDC authentication may go wrong?
UPDATE Option --v on both the client ( keyctl ) or the server (eg API server) help to some degree.
1 answers
solution1
2 2020-06-25 19:55:22
If you are using the email claim, Kubernetes requires your email_verified claim to be true . By default in Keycloak, this is set to false .
Source: https://github.com/kubernetes/kubernetes/search?q=email_verified&unscoped_q=email_verified
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.