Getting "Unauthorized" while using Dashboard with Oauth2-proxy

rlevitsky · December 4, 2023, 11:08am

Cluster information:

Kubernetes version: v1.25.6
Cloud being used: bare-metal
Installation method: dashboard-deployment.yml file
Host OS: N/A
CNI and version: d.k.
CRI and version: d.k.

Hello fellow users,
we have k8s cluster up and running and successfully using oidc with ‘kubectl’ program, configuration snippet is like this:

      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://login-uat.my.co/auth/realms/my-uat
      - --oidc-client-id=k8s_sandbox
      - --oidc-client-secret=XXXXXXXXXXXXXXXXXXXXXXXX
      command: kubectl

It is running quite well, I am able get/manage cluster resources which I have access to using kubectl.

Couple weeks ago I’ve installed Dashboard v2.7.0+0.g42deb6b32 among with oauth2-proxy.
I managed to get it up and running and pass the user to the Identity provider and get back to the Dashboard.
However, Dashboard are now empty, while displaying ’ Logged in with auth header" when clicking to the user’s icon.

The dashboard logs is full of records like these:

[2023-12-04T10:38:30Z] Incoming HTTP/1.1 GET /api/v1/namespace request from 10.139.128.40: 
Getting list of namespaces
Non-critical error occurred during resource retrieval: Unauthorized
[2023-12-04T10:38:30Z] Outcoming response to 10.139.128.40 with 200 status code

I was trying to turn on the debugging information at the Dashboard logs but unable to find relevant option in documentation.

Could you please tell me it there is a way to identify and fix the issue?

Best,
Roman.

jamallmahmoudi · December 6, 2023, 8:01am

Hi, rlevitsky

It appears that the issue may be related to RBAC (Role-Based Access Control) permissions for the user authenticating through OIDC. An “unauthorized” error indicates that the user does not have the necessary permissions to list namespaces.

Verify that the OIDC user is associated with the correct roles or ClusterRoles that have the necessary permissions to access resources in the dashboard.
“Important”
Remember that RBAC permissions are separate for Kubectl and Kubernetes Dashboard. While kubectl may work with RBAC configured for OIDC, the dashboard may require additional configuration.
After making changes, monitor the logs for any additional error messages and use verbose logging to gain more insight into the problem. If the problem persists, you may need to check your Kubernetes RBAC setup and OIDC token claims more closely.

rlevitsky · December 6, 2023, 8:44am

Hi jamallmahmoudi,
Thank you for your reply.
As stated in the first post, I was unable to find ‘debugging’ option at the Dashboard configuration.
Do you have any idea on how to get debugging info out of Dashboard?

jamallmahmoudi · December 6, 2023, 11:32am

Hi

sorry, I completely misunderstood your question
There is no special key for debugging in this particular mode
But the following link may be useful

rlevitsky · December 6, 2023, 12:11pm

Thank you Jamall,
I will probably give it a try.

It is quite disgusting that the Dashboard user is unable to find out what exactly is going on, though.

Topic		Replies	Views
Logging into k8s dashboard General Discussions	1	624	April 18, 2024
Dashboard will not load on 5 node Ubuntu Cluster microk8s	0	895	November 26, 2020
Unable to setup Kubernetes dashboard in local windows 10 -401 unauthorized token error General Discussions	2	3446	October 28, 2023
Remote access to Kubernetes Dashboard in minikube is not possible because login button always disable General Discussions minikube	0	1211	September 21, 2023
Cannot connect to Kubernetes Dashboard as non-admin user with kubectl proxy General Discussions	0	2403	April 11, 2020

Getting "Unauthorized" while using Dashboard with Oauth2-proxy

Cluster information:

Related topics