Problem connecting to cluster

[nniikkoollaaii]

Hello,

I selected my kubeconfig file and kube-forwarder shows the following error message:

"nodes is forbidden: User "system:anonymous" cannot list nodes at the cluster scope"

my kubeconfig file is:

apiVersion: v1
kind: Config
clusters:
- name: caasp
  cluster:
    server: https://my-apiserver:6443
    certificate-authority-data: ...
users:
- name: appenvadmin
  user:
    auth-provider:
      name: oidc
      config:
        client-id: velum
        client-secret: ...
        extra-scopes: groups
        id-token: ...
        idp-certificate-authority-data: ...
        idp-issuer-url: https://my-apiserver:32000
        refresh-token: ...
contexts:
- name: caasp-appenvadmin
  context:
    cluster: caasp
    user: appenvadmin
current-context: caasp-appenvadmin

Auth backend is Dex.
Kube-Forwarder Version 1.4.2 on Windows

Is there a problem using Kubernetes OIDC Auth?

Thanks for any help!

[proAlexandr]

Hi @nniikkoollaaii,
It looks like an issue with the cluster's configuration or a connection configuration. Have you tried to connect to the cluster using kubectl with the same config? Most likely it's not a Kube Forwarder's issue, but if kubectl works, we will investigate it further.

[nniikkoollaaii]

Hi @proAlexandr ,

the command
kubectl get pods --kubeconfig .\my-kubeconfig
works.
So I don't think there is a problem with my connection configuration.

Further investigation would be nice. Thanks!

[rlopez4]

I'm having a similar problem with oidc auth-provider. I am able to connect via kubectl but not through kube-forwarder.

[merktassel]

I'm experiencing a similar problem with OIDC. Commands like kubectl --context=dev port-forward foobar work fine, but Kube Forwarder displays "Unauthorized" when connecting:

[nbusseneau]

+1 on what @merktassel said, I cannot get Kube Forwarder to work with an OIDC authenticator either, it fails with an Unauthorized error. All kubectl commands (e.g. kubectl get ns) work fine, though it should be noted that myuser has restricted rights (is only admin of some namespaces, but cannot manage the cluster itself).

Are there any logs I could inspect?

~/.kube/config

apiVersion: v1
clusters:
- cluster:
    certificate-authority: [redacted]
    server: [redacted]
  name: mycluster
contexts:
- context:
    cluster: mycluster
    user: myuser
  name: mycontext
current-context: mycontext
kind: Config
preferences: {}
users:
- name: myuser
  user:
    auth-provider:
      config:
        client-id: [redacted]
        client-secret: [redacted]
        id-token: [redacted]
        idp-issuer-url: [redacted]
        refresh-token: [redacted]
      name: oidc

Kube Forwarder

[astrixj]

Hi,

Any news on this, we are facing the same issue. when clicking on add new cluster we got an error , failed to connect , do you want continue saving ?

we are able to run port-forward via the terminal.

Any idea? any workaround ?

Thanks
Ben

[trendsoa]

same issue here with OIDC authenticator enabled cluster

[chris-clarke-dev]

There have been some changes to the @kubernetes/client-node package that fix this error. I'm able reproduce a very similar error if I run this sample code using 0.10.2 in separate project:

const k8s = require('@kubernetes/client-node');

const kc = new k8s.KubeConfig();
kc.loadFromDefault();
kc.setCurrentContext('<insert a context relevant to your environment>');

const k8sApi = kc.makeApiClient(k8s.CoreV1Api);

k8sApi.listNamespacedPod('default').then((res) => {
    console.log(res.body);
}).catch(err => {
  console.log(err.response.body);
});

will produce this response from the API

{
  kind: 'Status',
  apiVersion: 'v1',
  metadata: {},
  status: 'Failure',
  message: 'pods is forbidden: User "system:anonymous" cannot list resource "pods" in API group "" in the namespace "default"',
  reason: 'Forbidden',
  details: { kind: 'pods' },
  code: 403
}

After updating the package I no longer get that error.

There is already a PR (#88) that includes an update to that package, which should fix this bug as well.