kube icon indicating copy to clipboard operation
kube copied to clipboard
verified publisher icon kube-rs

Auth error with oidc login kubectl plugin

Open atassis opened this issue 3 years ago • 2 comments

Current and expected behavior

I have kubeconfig with next user field:

users:
- name: oidc-keycloak
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: kubectl
      args:
        - oidc-login
        - get-token
        - --oidc-issuer-url=<keycloak url>
        - --oidc-client-id=kubernetes
        - --oidc-client-secret=<our secret>
      env: null
      provideClusterInfo: false

And receive the next error during initialization (the same code as in examples/kubectl.rs):

Error: auth error: auth exec command '"kubectl" "oidc-login" "get-token" "--oidc-issuer-url=<keycloak url>" "--oidc-client-id=kubernetes" "--oidc-client-secret=<our secret>"' failed with status exit code: 2: Output { status: ExitStatus(ExitStatus(2)), stdout: "", stderr: "error: One of the values isn't valid for an argument\n" }

Possible solution

No response

Additional context

Windows OS Rust version:

stable-x86_64-pc-windows-msvc (default)
rustc 1.64.0 (a55dd71d5 2022-09-19)

Environment

Client Version: v1.25.0 Kustomize Version: v4.5.7 Server Version: v1.22.14

Configuration and features


kube = { version = "0.75.0", features = ["runtime", "derive"] }
k8s-openapi = { version = "0.16.0", features = ["v1_25"] }

Affected crates

No response

Would you like to work on fixing this bug?

maybe

atassis avatar Oct 10 '22 09:10 atassis

That looks like an error from oidc-login. Does the same kubeconfig work with regular kubectl?

nightkr avatar Oct 14 '22 10:10 nightkr

Yes it does. For me it looks like command is not executed properly, arguments are provided in an erroneous way. If I execute oidc login with these params directly- I receive the response

atassis avatar Oct 14 '22 12:10 atassis

If the command works locally then it sounds like something that would be straight-forward to fix when cross referencing with where we shell out:

https://github.com/kube-rs/kube/blob/e104bea2233b5bd0977aab444b8c5a36181b4791/kube-client/src/client/auth/mod.rs#L463-L488

and what kubectl does (as documented by the upstream ExecConfig) via kubectl -v=9

I don't see anything obvious in our implementation.. Command::args just passes the yaml on verbatim. ~~Maybe it doesn't print to stdout, but stderr?~~ Maybe something about inherited evars? Maybe oidc-login also has a verbose flag to identify why it is failing?

A solution/fix/investigation would be appreciated!

clux avatar Oct 28 '22 09:10 clux

The thing is I am not good in rust and just learning it in my spare time (main stack for several ages is in typescript). Not good at debugging opensource for now. For now, I think flags are not passed to execution of the command properly, but can't check that

atassis avatar Oct 29 '22 08:10 atassis

Does the PR above fixed the issue @atassis ? Should be available on kube-rs 0.77.0

goenning avatar Dec 15 '22 19:12 goenning

It will take me some time to check it, I am too overwhelmed by different stuff. But I will definitely check it and answer later

atassis avatar Dec 16 '22 00:12 atassis

FWIW, interactive OIDC works fine with kube-rs, but I only tested with https://github.com/int128/kubelogin

EDIT: just noticed you're using kubelogin as well. So it should work fine now!

goenning avatar Mar 07 '23 14:03 goenning

We have users complaining about OIDC not refreshing. Checking the code I really don't see any refreshing mechanism for OIDC https://github.com/metalbear-co/mirrord/issues/1460

aviramha avatar May 25 '23 16:05 aviramha

Upon further inspection, there appears to be two issues here. The above config in this issue is using exec with oidc-login shellout which should still work using existing structures, but it's possible that there's something wrong with the way the exec is done - it has probably not been tested for a lot of different use cases. If this doesn't work, then it's a bug.

On the other hand there's also #1223 which would not use exec but rather auth-provider (see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#option-1-oidc-authenticator ), and that we definitely do not have support for yet.

clux avatar Jun 07 '23 15:06 clux

As a progress note, we now have support for oidc refresh under the kube/oidc feature from #1229 resulting from the previous comment. Previously we had oidc bearer token handling only.

This is not expected to fix the issue above as it using an exec provider, but we also don't know if anything is even actually wrong on our side here. As a side-note, it might be possible to change the kubeconfig structure to use the oidc provider rather than exec (since it's called oidc-keycloak), or tweak the kubeconfig a bit (see there are some blogposts on this).

Anyway, going to close this for now. Feel free to reopen with more information.

clux avatar Jul 14 '23 10:07 clux