Error when connecting to cluster with LDAP

General Discussions
1

Cluster information:

Kubernetes version:
Cloud being used: bare-metal
Installation method: kubeadm
Host OS: Ubuntu 22.04
CNI and version: Flannel latest
CRI and version: docker with Mirantis cri-dockerd as Docker Engine shim
1 control plane node and 3 worker nodes

I deployed Dex + Gangway + oauth2-proxy so I can get kubeconf from https://kubectl.myk8s.mydomain.com with my domain user. It used to work fine.
Until this morning , I have to restarted my control plane node cause of some memory leak error.
After that, when I try to access to k8s cluster from my computer with kubectl I get error

kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.0", GitCommit:"b46a3f887ca979b1a5d14fd39cb1af43e7e5d12d", GitTreeState:"clean", BuildDate:"2022-12-08T19:58:30Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"windows/amd64"}
Kustomize Version: v4.5.7
error: You must be logged in to the server (the server has asked for the client to provide credentials)

kubectl get nodes
E0728 12:13:04.100729   23052 memcache.go:238] couldn't get current server API group list: the server has asked for the client to provide credentials
E0728 12:13:04.113234   23052 memcache.go:238] couldn't get current server API group list: the server has asked for the client to provide credentials
E0728 12:13:04.125072   23052 memcache.go:238] couldn't get current server API group list: the server has asked for the client to provide credentials
E0728 12:13:04.134795   23052 memcache.go:238] couldn't get current server API group list: the server has asked for the client to provide credentials
E0728 12:13:04.142634   23052 memcache.go:238] couldn't get current server API group list: the server has asked for the client to provide credentials
error: You must be logged in to the server (the server has asked for the client to provide credentials)

The default admin still work fine.
I still can access to https://kubectl.myk8s.mydomain.com with my domain user and get another kubeconf but the new one still get same error.
How can I troubleshoot it ? Please give me some advice, thank you very much.

2

same problem here, after logging on Dex using LDAP option, I get the kubeconfig file, and created clusterrolebinding to the whole ldap group:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-role-for-clusterusers
subjects:
- kind: Group
  name: clusterusers # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""

but when running a simple kubectl command: kubectl get pod --v=10, I get the same error:

//...
I0925 14:47:08.763465 3013957 helpers.go:246] server response object: [{
  "metadata": {},
  "status": "Failure",
  "message": "the server has asked for the client to provide credentials",
  "reason": "Unauthorized",
  "details": {
    "causes": [
      {
        "reason": "UnexpectedServerResponse",
        "message": "unknown"
      }
    ]
  },
  "code": 401
}]
error: You must be logged in to the server (the server has asked for the client to provide credentials)