kube-forwarder
kube-forwarder copied to clipboard
pixel-point
Problem connecting to cluster
Hello,
I selected my kubeconfig file and kube-forwarder shows the following error message:
"nodes is forbidden: User "system:anonymous" cannot list nodes at the cluster scope"
my kubeconfig file is:
apiVersion: v1
kind: Config
clusters:
- name: caasp
cluster:
server: https://my-apiserver:6443
certificate-authority-data: ...
users:
- name: appenvadmin
user:
auth-provider:
name: oidc
config:
client-id: velum
client-secret: ...
extra-scopes: groups
id-token: ...
idp-certificate-authority-data: ...
idp-issuer-url: https://my-apiserver:32000
refresh-token: ...
contexts:
- name: caasp-appenvadmin
context:
cluster: caasp
user: appenvadmin
current-context: caasp-appenvadmin
Auth backend is Dex. Kube-Forwarder Version 1.4.2 on Windows
Is there a problem using Kubernetes OIDC Auth?
Thanks for any help!
Hi @nniikkoollaaii, It looks like an issue with the cluster's configuration or a connection configuration. Have you tried to connect to the cluster using kubectl with the same config? Most likely it's not a Kube Forwarder's issue, but if kubectl works, we will investigate it further.
Hi @proAlexandr ,
the command
kubectl get pods --kubeconfig .\my-kubeconfig
works.
So I don't think there is a problem with my connection configuration.
Further investigation would be nice. Thanks!
I'm having a similar problem with oidc auth-provider. I am able to connect via kubectl but not through kube-forwarder.
I'm experiencing a similar problem with OIDC. Commands like kubectl --context=dev port-forward foobar work fine, but Kube Forwarder displays "Unauthorized" when connecting:
+1 on what @merktassel said, I cannot get Kube Forwarder to work with an OIDC authenticator either, it fails with an Unauthorized error. All kubectl commands (e.g. kubectl get ns) work fine, though it should be noted that myuser has restricted rights (is only admin of some namespaces, but cannot manage the cluster itself).
Are there any logs I could inspect?
~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority: [redacted]
server: [redacted]
name: mycluster
contexts:
- context:
cluster: mycluster
user: myuser
name: mycontext
current-context: mycontext
kind: Config
preferences: {}
users:
- name: myuser
user:
auth-provider:
config:
client-id: [redacted]
client-secret: [redacted]
id-token: [redacted]
idp-issuer-url: [redacted]
refresh-token: [redacted]
name: oidc
Kube Forwarder
Hi,
Any news on this, we are facing the same issue. when clicking on add new cluster we got an error , failed to connect , do you want continue saving ?
we are able to run port-forward via the terminal.
Any idea? any workaround ?
Thanks Ben
There have been some changes to the @kubernetes/client-node package that fix this error. I'm able reproduce a very similar error if I run this sample code using 0.10.2 in separate project:
const k8s = require('@kubernetes/client-node');
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
kc.setCurrentContext('<insert a context relevant to your environment>');
const k8sApi = kc.makeApiClient(k8s.CoreV1Api);
k8sApi.listNamespacedPod('default').then((res) => {
console.log(res.body);
}).catch(err => {
console.log(err.response.body);
});
will produce this response from the API
{
kind: 'Status',
apiVersion: 'v1',
metadata: {},
status: 'Failure',
message: 'pods is forbidden: User "system:anonymous" cannot list resource "pods" in API group "" in the namespace "default"',
reason: 'Forbidden',
details: { kind: 'pods' },
code: 403
}
After updating the package I no longer get that error.
There is already a PR (#88) that includes an update to that package, which should fix this bug as well.
