kube-oidc-proxy icon indicating copy to clipboard operation
kube-oidc-proxy copied to clipboard

Published 20 hours ago verified publisher icon jetstack

error: You must be logged in to the server

Open kotyara85 opened this issue 5 years ago • 4 comments

Hey guys, We forked this project and seeing next error - error: You must be logged in to the server when use kubectl.

curl works just fine with bearer token.

Any suggesting what it could be?

It's also weird I don't see kubectl sending JWT token, but it works just fine directly with api.

Any help is appreciated

Thanks

kotyara85 avatar Oct 03 '19 23:10 kotyara85

Hello!

When you say forked - do you mean you have made changes to the code?

Can you double check that the OIDC token has been set up in your Kubeconfig?

Could you provide some logs of kube-oidc-proxy when you're attempting to connect using kubectl? You can also add --v 10 to it's arguments to provide more info.

JoshVanL avatar Oct 04 '19 08:10 JoshVanL

I'm getting a similar error

I0414 15:49:46.268924   95219 round_trippers.go:416] GET https://kube-oidc-proxy.REDACTED/api?timeout=32s
I0414 15:49:46.268945   95219 round_trippers.go:423] Request Headers:
I0414 15:49:46.268957   95219 round_trippers.go:426]     Accept: application/json, */*
I0414 15:49:46.268964   95219 round_trippers.go:426]     User-Agent: kubectl/v1.14.3 (darwin/amd64) kubernetes/5e53fd6
I0414 15:49:46.377192   95219 round_trippers.go:441] Response Status: 401 Unauthorized in 108 milliseconds
I0414 15:49:46.394111   95219 request.go:1145] body was not decodable (unable to check for Status): couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value of type struct { APIVersion string "json:\"apiVersion,omitempty\""; Kind string "json:\"kind,omitempty\"" }
0414 15:46:27.062905   95109 cached_discovery.go:121] skipped caching discovery info due to the server has asked for the client to provide credentials
I0414 15:46:27.063054   95109 helpers.go:196] server response object: [{
  "metadata": {},
  "status": "Failure",
  "message": "the server has asked for the client to provide credentials",
  "reason": "Unauthorized",
  "details": {
    "causes": [
      {
        "reason": "UnexpectedServerResponse",
        "message": "Unauthorized"
      }
    ]
  },
  "code": 401
}]
F0414 15:46:27.063080   95109 helpers.go:114] error: You must be logged in to the server (the server has asked for the client to provide credentials)

apiVersion: v1
clusters:
- cluster:
    certificate-authority: REDACTED
    server: https://kube-oidc-proxy.REDACTED
  name: test-cluster-name
contexts:
- context:
    cluster: test-cluster-name
    user: test-user
  name: test-context
current-context: test-context
kind: Config
preferences: {}
users:
- name: test-user
  user:
    auth-provider:
      config:
        client-id: REDACTED
        client-secret: REDACTED
        id-token: REDACTED
        idp-issuer-url: https://accounts.google.com
        refresh-token: REDACTED
      name: oidc

vivekanandg avatar Apr 14 '20 10:04 vivekanandg

@vivekanandg check supported scopes available on https://<your dex hostname>/.well-known/openid-configuration and compare them with ones in kube-oidc-proxy.

I had the same error with the usernameClaim set to username instead of the supported name.

decayofmind avatar May 21 '20 00:05 decayofmind

This should probably be closed by now, but on my side I had the wrong clientId 😓

So I would suggest to anyone that stumble upon this to decode their JWT token and validate that the configurations of the kube-oidc-proxy match!

Cheers! 🍻

agaudreault avatar Sep 18 '20 19:09 agaudreault