K
Q

Logs when Kubernetes OpenID Connect authentication fails

2/1/2019

I have tried to set up Kubernetes 1.13 for OpenID Connect (OIDC) authentication as follows:

  • installed Keycloak server
  • added command line options --oidc-issuer-url=https://my_keycloak/auth/realms/my_realm, etc., to kube-apiserver
  • stored id token at users.user.auth-provider.config.client-id, etc., in kubeconfig's my_user

From my reading of the documentation kubectl should now be able to access the cluster as my_user. However, kubectl get nodes says:

error: You must be logged in to the server (Unauthorized)

And curl -k https://api_server:6443/api/v2/nodes --header "Authorization: Bearer $id_token" says:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}

kubectl logs $kube_apiserver -n kube-system, journalctl -u kubelet.service, and Keycloak's stdout are all silent. So where can I see more logging information to discern where OIDC authentication may go wrong?

UPDATE Option --v on both the client (keyctl) or the server (e.g. API server) help to some degree.

-- rookie099
keycloak
kubernetes
openid-connect

Similar Questions

Access denied when pulling private registry image using helm with gitlab runner helm chart and ci job
Kubernetes ServiceAccount have roles and rolesbinding permissions can't create roles
error converting YAML to JSON, did not find expected key kubernetes
Why do I get a "resource unavailable" error on DB, while launching peer pod?
Kubernetes readinessProbe initialDelaySeconds Doesn't working

0 Answers