Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oidc-username-prefix switch is not #56826

Closed
polasekr opened this issue Dec 5, 2017 · 1 comment
Closed

oidc-username-prefix switch is not #56826

polasekr opened this issue Dec 5, 2017 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery.

Comments

@polasekr
Copy link

polasekr commented Dec 5, 2017
edited
Loading

/kind bug
/sig api-machinery

What happened:

This is the list of switches api server runs with:

    - /usr/local/bin/kube-apiserver --address=127.0.0.1 --admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority,ResourceQuota
      --allow-privileged=true --anonymous-auth=false --apiserver-count=1 --authorization-mode=RBAC
      --basic-auth-file=/srv/kubernetes/basic_auth.csv --client-ca-file=/srv/kubernetes/ca.crt
      --cloud-provider=aws --etcd-servers-overrides=/events#http://127.0.0.1:4002
      --etcd-servers=http://127.0.0.1:4001 --insecure-port=8080 --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP
      --oidc-client-id=@!DDE1.1C8B.4BF7.8451!0001!DFD0.C624!0008!4479.9AA1.B0FB.BF3A --oidc-username-prefix=user- --oidc-issuer-url=https://iam.hubub.com/oxauth --oidc-username-claim=sub
      --proxy-client-cert-file=/srv/kubernetes/apiserver-aggregator.cert
      --proxy-client-key-file=/srv/kubernetes/apiserver-aggregator.key --requestheader-allowed-names=aggregator
      --requestheader-client-ca-file=/srv/kubernetes/apiserver-aggregator-ca.cert
      --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group
      --requestheader-username-headers=X-Remote-User --runtime-config=batch/v2alpha1=true
      --secure-port=443 --service-cluster-ip-range=100.64.0.0/13 --storage-backend=etcd2
      --tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key
      --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2 2>&1 | /bin/tee -a

It is configured to use OIDC for authentication and prefix is set to user-. When I authenticate OIDC user (in this example rpolasek) without creating any role bindings, kubectl throws back error

Error from server (Forbidden): pods is forbidden: User "https://iam.hubub.com/oxauth#rpolasek" cannot list pods in the namespace "default"

In the error message it refers to user as URL#username, rather user-username (user-rpolasek).
It requires a following bind to be created using URL#username name schema for this user to work. Cluster role binding with subject defined as user-rpolasek doesns't work.

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: rpolasek
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: User
  name: https://iam.hubub.com/oxauth#rpolasek
  namespace: default

What you expected to happen:
API server should be using user- for OIDC users. In the example the error message from API should be Error from server (Forbidden): pods is forbidden: User "user-rpolasek" cannot list pods in the namespace "default" as well as the subject name in ClusterRoleBinding.

How to reproduce it (as minimally and precisely as possible):
Configure api server to use OIDC for user authentication and set oidc user name claim as sub.

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version):
    Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.0", GitCommit:"6e937839ac04a38cac63e6a7a306c5d035fe7b0a", GitTreeState:"clean", BuildDate:"2017-09-28T22:57:57Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
    Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.3", GitCommit:"f0efb3cb883751c5ffdbe6d515f3cb4fbe7b7acd", GitTreeState:"clean", BuildDate:"2017-11-08T18:27:48Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

  • Cloud provider or hardware configuration:
    AWS

  • OS (e.g. from /etc/os-release):
    Debian GNU/Linux 8 (jessie)

  • Kernel (e.g. uname -a):
    Linux ip-172-20-76-162 4.4.78-k8s Unit test coverage in Kubelet is lousy. (~30%) #1 SMP Fri Jul 28 01:28:39 UTC 2017 x86_64 GNU/Linux
@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Dec 5, 2017
@liggitt
Copy link
Member

liggitt commented Dec 5, 2017

fixed in #56175 and #56229 (for 1.8.5, scheduled for 12/7)

@liggitt liggitt closed this as completed Dec 5, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@liggitt @polasekr @k8s-ci-robot