I have tried to set up Kubernetes 1.13 for OpenID Connect (OIDC) authentication as follows:
--oidc-issuer-url=https://my_keycloak/auth/realms/my_realm
, etc., to kube-apiserver
users.user.auth-provider.config.client-id
, etc., in kubeconfig's my_user
From my reading of the documentation kubectl
should now be able to access the cluster as my_user
. However, kubectl get nodes
says:
error: You must be logged in to the server (Unauthorized)
And curl -k https://api_server:6443/api/v2/nodes --header "Authorization: Bearer $id_token"
says:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
kubectl logs $kube_apiserver -n kube-system
, journalctl -u kubelet.service
, and Keycloak's stdout are all silent. So where can I see more logging information to discern where OIDC authentication may go wrong?
UPDATE Option --v
on both the client ( keyctl
) or the server (eg API server) help to some degree.
If you are using the email
claim, Kubernetes requires your email_verified
claim to be true
. By default in Keycloak, this is set to false
.
Source: https://github.com/kubernetes/kubernetes/search?q=email_verified&unscoped_q=email_verified
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.