kubernetes: Error: (the server has asked for the client to provide credentials)
/kind bug
@kubernetes/sig-api-machinery-bugs
What happened:
I just switched to oidc authentication by extending kube-apiserver.yaml as follows:
- "--authorization-mode=RBAC"
- "--oidc-client-id=<client id from google>"
- "--oidc-issuer-url=https://accounts.google.com"
- "--oidc-username-claim=sub"
I acquired refresh and id tokens from this client and added them to the config:
user:
auth-provider:
config:
client-id: <google_client_id>
client-secret: <secret>
extra-scopes: openid email profile offline_access
id-token: <id_token>
idp-issuer-url: https://accounts.google.com
refresh-token: <refresh_token>
name: oidc
- name: oidc_test
The token gets refreshed by kubectl as expected but when hitting the API server I get a 401 error back:
> kubectl version
Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.3", GitCommit:"2c2fe6e8278a5db2d15a013987b53968c743f2a1", GitTreeState:"clean", BuildDate:"2017-08-03T07:00:21Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"windows/amd64"}
error: You must be logged in to the server (the server has asked for the client to provide credentials)
in the log on the server I can see a corresponding error:
I0810 09:39:52.052547 1 jwt.go:230] Signature error (key 0): crypto/rsa: verification error
E0810 09:39:52.052575 1 authentication.go:58] Unable to authenticate the request due to an error: [invalid bearer token, crypto/rsa: verification error]
I0810 09:39:52.052607 1 wrap.go:75] GET /version: (394.913µs) 401 [[kubectl.exe/v1.7.3 (windows/amd64) kubernetes/2c2fe6e] <IP>]
What you expected to happen:
At this point the API server should respond with a 403 status indicating I do not have permissions for a given action (no rolebindings exist yet!)
How to reproduce it (as minimally and precisely as possible):
Change the settings in kube-apiserver.yaml as described above and authenticate through google’s oauth infrastructure and provide the id token in kubectl
Anything else we need to know?: I’ve also tested this agains tokens from AAD and AAD v2.0 which exhibits the same behavior
Environment:
- Kubernetes version (use
kubectl version):
Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.3", GitCommit:"2c2fe6e8278a5db2d15a013987b53968c743f2a1", GitTreeState:"clean", BuildDate:"2017-08-03T07:00:21Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.6", GitCommit:"7fa1c1756d8bc963f1a389f4a6937dc71f08ada2", GitTreeState:"clean", BuildDate:"2017-06-16T18:21:54Z", GoVersion:"go1.7.6", Compiler:"gc", Platform:"linux/amd64"}
- Cloud provider or hardware configuration**: Azure
- OS (e.g. from /etc/os-release):
NAME="Ubuntu"
VERSION="16.04.2 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.2 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
- Kernel (e.g.
uname -a):Linux k8s-master-42DAEBE3-0 4.4.0-89-generic #112-Ubuntu SMP Mon Jul 31 19:38:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 15 (8 by maintainers)
@dixudx: I wantet to express that Authentication should be successfull and Authroization should kick in and cause a 403! So far I’ve checked my Token front to back - and I don’t know what the problem seems to be! Could it be something about the signature verification? Do I have to provide the signatures of the issuing authority through
--oidc-ca-file?