Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kind local cluster OIDC setup windows VM #3531

Open
tppalani opened this issue Feb 26, 2024 · 1 comment
Open

kind local cluster OIDC setup windows VM #3531

tppalani opened this issue Feb 26, 2024 · 1 comment
Labels
kind/support Categorizes issue or PR as a support question.

Comments

@tppalani
Copy link

I'm running kind cluster in windows Operating system, Just for POC purpose i have optioned Okta CLIEND-ID and Okta Domain to enable to okta login mechanism . while creating cluster i have passed below configuration in yaml as extra api server configuration. But i don't see any effect after creating kind cluster. Even i verified kueb-apiserver.yaml file too but i don't see any configuration when i'm checking inside the container path:

---
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
  - role: control-plane
    image: kindest/node:v1.27.1@sha256:c44686bf1f422942a21434e5b4070fc47f3c190305be2974f91444cd34909f1b
    extraMounts:
    - hostPath: C:/tools/cert.pem
      containerPath: /usr/local/share/ca-certificates/my.crt
    kubeadmConfigPatches:
      - |
        kind: InitConfiguration
        nodeRegistration:
          kubeletExtraArgs:
            node-labels: "ingress-ready=true"
      - |
        apiServer:
          extraArgs:
            runtime-config: "api/all=true"
      - |
        apiServer:
          extraArgs:
            admission-control: "ServiceAccount,NodeRestriction,PodSecurityPolicy,AlwaysAdmit"
      
      - |
        apiServer:
          extraArgs:
            apiserver.oidc-issuer-url: "https://dev-123456.okta.com/oauth2/default"
            apiserver.oidc-client-id: "ohaja1234mkalLMN"
            apiserver.oidc-username-prefix: "oidc:"
            apiserver.oidc-username-claim: "sub"
            apiserver.oidc-groups-prefix: "oidc:"
            apiserver.oidc-groups-claim: "groups"
    extraPortMappings:
      - containerPort: 80
        hostPort: 80
      - containerPort: 443
        hostPort: 443
      - containerPort: 1111
        hostPort: 1111

cat ./kube/config

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0t...........
    server: https://127.0.0.1:52260
  name: kind-kind
contexts:
- context:
    cluster: kind-kind
    user: kind-kind
  name: kind-kind
current-context: kind-kind
kind: Config
preferences: {}
users:
- name: kind-kind
  user:
    client-certificate-data: LS0t...........
    client-key-data: LS0t...........
- name: oidc-user
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://dev-123456.okta.com/oauth2/default
      - --oidc-client-id=ohaja1234mkalLMN
      - --oidc-extra-scope=groups
      command: kubectl
      env: null
      interactiveMode: IfAvailable
      provideClusterInfo: false

What you expected to happen:
OIDC user will pick when i'm running below command

kubectl get pods --user oidc-user

How to reproduce it (as minimally and precisely as possible):

kubectl get pods --user oidc-user
error: unknown command "oidc-login" for "kubectl"
Unable to connect to the server: getting credentials: exec: executable kubectl failed with exit code 1

Anything else we need to know?:

Environment:

  • kind version: (use kind version): kind v0.18.0 go1.20.2 windows/amd64

  • Runtime info: (use docker info or podman info): $ podman info
    host:
    arch: amd64
    buildahVersion: 1.33.2
    cgroupControllers:

    • cpuset
    • cpu
    • cpuacct
    • blkio
    • memory
    • devices
    • freezer
    • net_cls
    • perf_event
    • net_prio
    • hugetlb
    • pids
    • rdma
    • misc
      cgroupManager: cgroupfs
      cgroupVersion: v1
      conmon:
      package: conmon-2.1.8-2.fc39.x86_64
      path: /usr/bin/conmon
      version: 'conmon version 2.1.8, commit: '
      cpuUtilization:
      idlePercent: 98.99
      systemPercent: 0.41
      userPercent: 0.6
      cpus: 12
      databaseBackend: sqlite
      distribution:
      distribution: fedora
      variant: container
      version: "39"
      eventLogger: journald
      freeLocks: 2037
      hostname: LDD4C6G3
      idMappings:
      gidmap: null
      uidmap: null
      kernel: 5.15.133.1-microsoft-standard-WSL2
      linkmode: dynamic
      logDriver: journald
      memFree: 11759542272
      memTotal: 16566603776
      networkBackend: netavark
      networkBackendInfo:
      backend: netavark
      dns:
      package: aardvark-dns-1.9.0-1.fc39.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.9.0
      package: netavark-1.9.0-1.fc39.x86_64
      path: /usr/libexec/podman/netavark
      version: netavark 1.9.0
      ociRuntime:
      name: crun
      package: crun-1.12-1.fc39.x86_64
      path: /usr/bin/crun
      version: |-
      crun version 1.12
      commit: ce429cb2e277d001c2179df1ac66a470f00802ae
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
      os: linux
      pasta:
      executable: /usr/bin/pasta
      package: passt-0^20231230.gf091893-1.fc39.x86_64
      version: |
      pasta 0^20231230.gf091893-1.fc39.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
      https://www.gnu.org/licenses/old-licenses/gpl-2.0.html
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
      remoteSocket:
      exists: true
      path: /run/podman/podman.sock
      security:
      apparmorEnabled: false
      capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
      rootless: false
      seccompEnabled: true
      seccompProfilePath: /usr/share/containers/seccomp.json
      selinuxEnabled: false
      serviceIsRemote: true
      slirp4netns:
      executable: /usr/bin/slirp4netns
      package: slirp4netns-1.2.2-1.fc39.x86_64
      version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
      swapFree: 4294168576
      swapTotal: 4294967296
      uptime: 28h 52m 6.00s (Approximately 1.17 days)
      variant: ""
      plugins:
      authorization: null
      log:
    • k8s-file
    • none
    • passthrough
    • journald
      network:
    • bridge
    • macvlan
    • ipvlan
      volume:
    • local
      registries:
      search:
    • docker.io
      store:
      configFile: /usr/share/containers/storage.conf
      containerStore:
      number: 2
      paused: 0
      running: 1
      stopped: 1
      graphDriverName: overlay
      graphOptions:
      overlay.mountopt: nodev,metacopy=on
      graphRoot: /var/lib/containers/storage
      graphRootAllocated: 1081101176832
      graphRootUsed: 16018919424
      graphStatus:
      Backing Filesystem: extfs
      Native Overlay Diff: "false"
      Supports d_type: "true"
      Supports shifting: "false"
      Supports volatile: "true"
      Using metacopy: "true"
      imageCopyTmpDir: /var/tmp
      imageStore:
      number: 12
      runRoot: /run/containers/storage
      transientStore: false
      volumePath: /var/lib/containers/storage/volumes
      version:
      APIVersion: 4.8.3
      Built: 1704291100
      BuiltTime: Wed Jan 3 19:41:40 2024
      GitCommit: ""
      GoVersion: go1.21.5
      Os: linux
      OsArch: linux/amd64
      Version: 4.8.3

  • OS (e.g. from /etc/os-release): windows

  • Kubernetes version: (use kubectl version): Client Version: v1.28.2
    Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
    Server Version: v1.27.1

  • Any proxies or other special environment settings?: NA
@tppalani tppalani added the kind/bug Categorizes issue or PR as related to a bug. label Feb 26, 2024
@BenTheElder
Copy link
Member 

    kubeadmConfigPatches:
      - |
        kind: InitConfiguration
        nodeRegistration:
          kubeletExtraArgs:
            node-labels: "ingress-ready=true"
      - |
        apiServer:
          extraArgs:
            runtime-config: "api/all=true"
      - |
        apiServer:
          extraArgs:
            admission-control: "ServiceAccount,NodeRestriction,PodSecurityPolicy,AlwaysAdmit"
      
      - |
        apiServer:
          extraArgs:
            apiserver.oidc-issuer-url: "https://dev-123456.okta.com/oauth2/default"
            apiserver.oidc-client-id: "ohaja1234mkalLMN"
            apiserver.oidc-username-prefix: "oidc:"
            apiserver.oidc-username-claim: "sub"
            apiserver.oidc-groups-prefix: "oidc:"
            apiserver.oidc-groups-claim: "groups"

This isn't quite right, your patches except the first one are not targeting any particular object so they're doing nothing.

You can just combine these into one patch, remove the -| lines except the first one and merge the extraArgs into one map

/remove-kind bug
/kind support

@k8s-ci-robot k8s-ci-robot added kind/support Categorizes issue or PR as a support question. and removed kind/bug Categorizes issue or PR as related to a bug. labels Feb 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/support Categorizes issue or PR as a support question.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@BenTheElder @tppalani @k8s-ci-robot