kubectl-whoami
kubectl-whoami copied to clipboard
Not working for showing groups information
Problem
It works when I try kubectl whoami --all
command to AWS EKS cluster via aws-iam-authenticator
default authentication method.
It doesn't work when I try kubectl whoami --all
command to AWS EKS cluster via different OIDC Identity Provider authentication. In my case, I tried with Okta OIDC identity provider. The output is same with kubectl whoami
command.
Hi @posquit0
thanks for reporting the issue.
is it possible for you to please submit a PR for this? I don't have access to EKS cluster setup.
Thanks Rajat Jindal
I just tried with onelogin OIDC provider + EKS, and it seems to have worked. and showing me all groups that I am part of.
could you please try once more.
Hi, thank you for following this issue. I'm so glad to hear that.
I tried with v0.0.44
, but it just same outputs.
What is your configuration for users[].user.exec.command
and users[].user.exec.args
in .kube/config
I used kubectl
command and oidc-login
args.
i am using a custom login plugin instead of oidc-login, but i don't think that matters. We make use of k8s api calls to fetch whoami info.
could you please add some logging on your laptop and help submit a PR for this?
I found a solution for a related issue,
in order for kubectl-whoami to show the ARN information for a user, it is required that the k8s role assigned to the user\group would have this rule:
- apiGroups: [ "authentication.k8s.io" ] resources: [ "tokenreviews" ] verbs: [ "create" ]
Without this rule within a ClusterRole assigned to that user, extracting ARN is not possible..
Sorry if this isn't relevant, but I did see that both printing Groups and ARNs are within the same if condition
.
Anyways, @rajatjindal you might want to add that information in the README.md, maybe troubleshooting section?