Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
f
fancy-receptionist-50750
06/21/2022, 3:11 PMHi everyone.
I installed Neuvector from the App catalogue in Rancher 2.6.5 with defaults (only changed Container Runtime to containerd because I'm using K3s, and changed PVC to use Longhorn), but SSO is not working. Any recommended log that I can review to check what is happening?
This is the only lines that I'm seeing in the log of NeuVector Manager:
q
quiet-fountain-46593
06/21/2022, 9:30 PMJust to check, is your user a rancher admin or cluster owner? Those are the only rancher roles that are allowed in SSO in this version. the
saml-gf
fancy-receptionist-50750
06/21/2022, 10:31 PMI'm using the default admin user that is generated when you install Rancher to access Rancher UI. As additional information, I manually set the Rancher's admin password during the installation of Rancher, with the Helm chart, using --set bootstrapPassword flag.
Even doing a port forward to NeuVector WebUI at Kubernetes level, I cannot access to NeuVector WebUI with default admin:admin credentials:
More strange: I can log to the NeuVector Manager from CLI with admin:admin, and even I created a new admin user, aguida, but I cannot login to the Web UI:
r
ripe-actor-83292
06/22/2022, 5:42 PMthe webui is still not allowing
admin|adminq
quiet-fountain-46593
06/23/2022, 5:59 PMI am can't reproduce so far on k3s or rke2 using the rancher chart and longhorn. Does it work OK if you don't use a longhorn PVC?
f
fancy-receptionist-50750
06/23/2022, 6:48 PMNo, even if I not use Longhorn as PVC the error is the same.
To add some additional information, my K3S deploy is without Traefik (I'm using NGINX as Ingress) and without servicelb (I'm using kube-vip and MetalLB), and is a HA of 3 nodes beeing Masters and Workers at the same time. K3S is installed on Ubuntu 22.04, with k3sup.
q
quiet-fountain-46593
06/27/2022, 7:33 PMdefinitely strange. can you check the controller logs when trying to log in, vs the manager logs. and maybe enable debug mode if there is nothing special. Nothing about your arch seems like it would cause an issue. And since the cli works, there is pretty clearly not a connectivity problem between manager and controllers.
f
fancy-receptionist-50750
06/28/2022, 3:14 PMHi. Here are the logs, with debug mode enabled:
The Logs from the Manager:
2022-06-28 14:54:39,170|INFO |MANAGER|com.neu.api.AuthenticationService(apply:824): post path auth2022-06-28 14:54:39,256|WARN |MANAGER|com.neu.api.AuthenticationService(apply:828): Status: 401 UnauthorizedBody: {"code":3,"error":"Authentication failed","message":"Authentication failed"}2022-06-28 14:54:39,262|INFO |MANAGER|com.neu.api.AuthenticationService(apply:147): saml-g: servername is empty2022-06-28T14:54:38.808|DEBU|CTL|cache.UpdateConnections: - agent=1d1b9febe7e0 app=1001 bytes=592 client=Host:neoappl clientIP=10.12.2.222 clientPort=0 extIP=false external=false first=1656428055 host=neoappliance-k8s-02:6dce4d56-1a13-a2b1-74e8-b16dd06f283e ingress=true ipproto=6 last=1656428055 local=true network= policyAction=1 policyID=10005 policyViolates=0 scope=global server=793ca6076462 serverIP=192.168.193.66 serverPort=80 sessions=0 threatID=0 threatSev=0 toSidecar=false xff=false2022-06-28T14:54:38.808|DEBU|CTL|cache.cacheMutexRLock: Acquire ... - goroutine=3182022-06-28T14:54:38.808|DEBU|CTL|cache.cacheMutexRUnlock: Released - goroutine=3182022-06-28T14:54:38.808|DEBU|CTL|cache.cacheMutexLock: Acquire ... - goroutine=3182022-06-28T14:54:38.808|DEBU|CTL|cache.cacheMutexUnlock: Released - goroutine=3182022-06-28T14:54:38.808|DEBU|CTL|cache.cacheMutexRLock: Acquire ... - goroutine=3182022-06-28T14:54:38.808|DEBU|CTL|cache.cacheMutexRUnlock: Released - goroutine=3182022-06-28T14:54:38.808|DEBU|CTL|cache.cacheMutexRLock: Acquire ... - goroutine=3182022-06-28T14:54:38.808|DEBU|CTL|cache.cacheMutexRUnlock: Released - goroutine=3182022-06-28T14:54:38.808|DEBU|CTL|cache.UpdateConnections: - agent=1d1b9febe7e0 app=0 bytes=9760 client=c16edcf22e89 clientIP=192.168.193.125 clientPort=0 extIP=false external=false first=1656428072 host=neoappliance-k8s-02:6dce4d56-1a13-a2b1-74e8-b16dd06f283e ingress=false ipproto=6 last=1656428072 local=false network= policyAction=0 policyID=0 policyViolates=0 scope=global server=nv.ip.kubern serverIP=10.43.0.1 serverPort=443 sessions=0 threatID=0 threatSev=0 toSidecar=false xff=false2022-06-28T14:54:38.808|DEBU|CTL|cache.graphMutexUnlock: Released - goroutine=3182022-06-28T14:54:38.808|DEBU|CTL|cache.cacheMutexRLock: Acquire ... - goroutine=3182022-06-28T14:54:38.808|DEBU|CTL|cache.cacheMutexRUnlock: Released - goroutine=3182022-06-28T14:54:42.706|DEBU|CTL|cache.cacheMutexRLock: Acquire ... - goroutine=11009562022-06-28T14:54:42.706|DEBU|CTL|cache.cacheMutexRUnlock: Released - goroutine=11009562022-06-28T14:54:42.707|DEBU|CTL|cache.graphMutexLock: Acquire ... - goroutine=3182022-06-28T14:54:42.707|DEBU|CTL|cache.cacheMutexRLock: Acquire ... - goroutine=3182022-06-28T14:54:42.707|DEBU|CTL|cache.cacheMutexRUnlock: Released - goroutine=3182022-06-28T14:54:42.707|DEBU|CTL|cache.cacheMutexLock: Acquire ... - goroutine=3182022-06-28T14:54:42.707|DEBU|CTL|cache.cacheMutexUnlock: Released - goroutine=3182022-06-28T14:54:42.707|DEBU|CTL|cache.preProcessConnectPAI: Ignore ingress connection from nv device - client=192.168.67.168 server=192.168.164.1012022-06-28T14:54:42.707|DEBU|CTL|cache.cacheMutexRLock: Acquire ... - goroutine=3182022-06-28T14:54:42.707|DEBU|CTL|cache.cacheMutexRUnlock: Released - goroutine=3182022-06-28T14:54:42.707|DEBU|CTL|cache.cacheMutexLock: Acquire ... - goroutine=3182022-06-28T14:54:42.707|DEBU|CTL|cache.cacheMutexUnlock: Released - goroutine=318Additional tests that I did in other server (CentOS 7), always with the same result, "Authentication Failed" when I try to access NeuVector from Rancher UI:
• Installed K3S single node, without "cluster" mode (not etcd, use sqlite)
• Installed K3S single node, using Traefik instead of Nginx Ingress Controller
I don't know what can other things I can try. Maybe not use Calico, but is not an option on my production environment. I cannot try to use original LoadBalancer from K3S (I'm using metallb), because is not working on CentOS 7 (there is a confirmed bug on GitHub).
q
quiet-fountain-46593
06/29/2022, 5:54 PMdo you see anything like this in your controller debug, this is showing a failed login. I dont even see the login attempt (first line) in what you pasted above, as if the auth connection does not even arrive.
2022-06-29T17:29:18.382|DEBU|CTL|rest.handlerAuthLogin: - URL=<https://neuvector-svc-controller.cattle-neuvector-system:10443/v1/auth>
2022-06-29T17:29:18.382|DEBU|CTL|rest.getAuthServersInOrder: - auth-order=[]
2022-06-29T17:29:18.387|DEBU|CTL|rest.handlerAuthLogin: - server=local
2022-06-29T17:29:18.391|INFO|CTL|rest.handlerAuthLogin: - error=Wrong password user=admin
2022-06-29T17:29:18.391|ERRO|CTL|rest.handlerAuthLogin: User login failed - msg=Wrong password user=admin
2022-06-29T17:29:18.392|DEBU|CTL|rest.writer.WriteHeader: 401 - Method=POST URL=<https://neuvector-svc-controller.cattle-neuvector-system:10443/v1/auth>if you have > 1 controller, you might need to look at all of them, as the connection "should" use the controller service and wouldn't necessarily hit the leader.
r
ripe-actor-83292
06/29/2022, 6:03 PMCan you hit the NeuVector UI directly at
https://<the.ui.service.ip>:8443f
fancy-receptionist-50750
06/29/2022, 6:04 PM@ripe-actor-83292, the NeuVector UI internally is HTTPS or HTTP on port 8443?
r
ripe-actor-83292
06/29/2022, 6:04 PMHTTPS
f
fancy-receptionist-50750
06/29/2022, 6:05 PMOk, let me try with a kubectl port-forward
r
ripe-actor-83292
06/29/2022, 6:05 PMthanks for playing along. 🙂 This is definitely a weird one.
👍 1
Alejandro, you mentioned prod clusters. Are you perhaps doing a PoC for a future Rancher/NeuVector support contract? Just curious.
f
fancy-receptionist-50750
06/29/2022, 6:14 PMNo @ripe-actor-83292, the "prod" word here is maybe oversized. Basically refer to the idea that Flannel is not an option in the future for a prod environment as our network engine. We are still testing what we are going to use for Containers Workloads, and clearly Rancher/K3S/Neuvector is an option, but we still don't know for sure.
q
quiet-fountain-46593
06/29/2022, 6:18 PMI'm looking into behavior when rancher auth provider is enabled. It could be the culprit if cli is OK (I also verified cli and ui should use the same api endpoints for authentication)
h
hallowed-ocean-20951
06/29/2022, 6:28 PMCurious, if you open your browser dev tools and try to log in, do you see any console errors? Or anything interesting in the returned responses?
☝️ 1
a
agreeable-oil-87482
06/29/2022, 6:39 PMCurious, can you post your values.yaml please?
f
fancy-receptionist-50750
06/29/2022, 6:40 PM@ripe-actor-83292, I cannot access to the UI even doin a kubectl port-forward, I get a Connection Reset whe I try to access from the browser:
root@appliance-k8s-01:/home/aguida# kubectl port-forward service/neuvector-service-webui -n cattle-neuvector-system 8443:8443Forwarding from 127.0.0.1:8443 -> 8443Forwarding from [::1]:8443 -> 8443Handling connection for 8443Handling connection for 8443E0629 18:36:17.344121 2335862 portforward.go:406] an error occurred forwarding 8443 -> 8443: error forwarding port 8443 to pod 4d0d9e20c0c56b4f6a26e9e3ebc997be715f11798662f801b60f6069900dadfb, uid : failed to execute portforward in network namespace "/var/run/netns/cni-e8f9fd3b-9834-d83b-0260-a767438f30e6": read tcp4 127.0.0.1:54932->127.0.0.1:8443: read: connection reset by peerE0629 18:36:17.344927 2335862 portforward.go:234] lost connection to pod@hallowed-ocean-20951, nothing interesting, only the 401 Unauthorized answer
q
quiet-fountain-46593
06/29/2022, 6:44 PMThis is due to a bug in kubectl 1.23+ . if you have a 1.22 kubectl, it should work
f
fancy-receptionist-50750
06/29/2022, 6:47 PM@quiet-fountain-46593 I need to have Kubernetes 1.22 too, or only replacing the kubectl binary with 1.22 version should it work?
q
quiet-fountain-46593
06/29/2022, 6:47 PMjust using the different kubectl should work
they changed the behavior, and connection reset by peer triggers kubectl to halt the port forward, even though in some cases it can be normal
can you check the
- name: RANCHER_EPthis is injected by the rancher helm deploy.
f
fancy-receptionist-50750
06/29/2022, 7:10 PM@ripe-actor-83292, can't login with port-forward, with default admin/admin credentials:
r
ripe-actor-83292
06/29/2022, 7:11 PMok. check some of the other replies/suggestions here
👍 1
q
quiet-fountain-46593
06/29/2022, 7:12 PMwill try and reproduce myself with an unreachable RANCHER_EP as well, and see if the behavior is the same
👍 1
f
fancy-receptionist-50750
06/29/2022, 7:34 PM@quiet-fountain-46593, RANCHER_EP inside neuvector-controller resolve to the https://rancherFQDN, where rancherFQDN is the FQDN that I configured to access Rancher when I installed it with the Helm Chart. The resolution of that FQDN is only possible from my machine, where I added a line with "IP FQDN" to my local hosts file.
Running nslookup inside neuvector-controller, It cannot resolve the FQDN.
What I don't understand, understanding that maybe that is the problem that is not allowing me to SSO to Neuvector from Rancher, is why I cannot login to NeuVector with default admin/admin credentials doing the kubectl port-forward, but I can login to Neuvector-Controller from Neuvector-Manager pod using the CLI, with default credentials. Weird, 😑
q
quiet-fountain-46593
06/29/2022, 7:35 PMyea, this could be a poor failure
of the sso piece
or as designed
so, I can mostly reproduce. If I deploy NV via rancher. then modify RANCHER_EP to something bogus, and delete all 3 controller pods. I can then not log in via SSO or direct to UI with created users. (admin does seem to work, but likely that's because on deploy the URL was working and some magic happens for that initial user) I suspect if I install a test rancher locally with a hosts entry like you did, I would also not be working for default admin user.
I'll bring it up internally. But in the short term, if you just install the neuvector chart outside of rancher, it should work OK and you can play around.
f
fancy-receptionist-50750
06/29/2022, 7:55 PMOk @quiet-fountain-46593 , I'm going to try. Thanks all for your help.
a
adventurous-battery-36116
06/29/2022, 7:55 PMGoing all the way back to your first post - “k3s” should be your selected runtime, not containerd. And what CNI are you using if not Flannel?
f
fancy-receptionist-50750
06/29/2022, 7:56 PMI'm using Calico @adventurous-battery-36116
r
ripe-actor-83292
06/29/2022, 7:56 PMCalico. …which will present some issues with NeuVector until some time later this year
Notably that
Protectf
fancy-receptionist-50750
06/29/2022, 7:57 PMI'm selecting K3S as runtime when I install NeuVector @adventurous-battery-36116, was a mistake when I wrote that message
a
adventurous-battery-36116
06/29/2022, 7:58 PMok cool - just checking 🙂
👍 1
Is Calico eBPF in the picture at all?
f
fancy-receptionist-50750
06/29/2022, 7:59 PM@ripe-actor-83292 which is the recommended CNI to use with NeuVector, the most "compatible" one?
r
ripe-actor-83292
06/29/2022, 8:00 PMUGH! what I said was a typo; sorry. It’s Cilium that has that limitation. Calico is fine
👍 1
🎯 1
NeuVector will use eBPF if eBPF has relevant data handy. But eBPF is not effective as a network protection tool.
a
adventurous-battery-36116
06/29/2022, 8:06 PMWhat (if any) network policies are in place?
kubectl get NetworkPolicy -AAnd from personal experience, I have noticed…strange…behavior when using cgroupsv2, which is default when using Ubuntu 22.04. Any chance you can kick the tires on a 20.04 install and see if you’re hit with the same thing?
f
fancy-receptionist-50750
06/29/2022, 8:17 PMNetwork Policies @adventurous-battery-36116:
root@appliance-k8s-01:/home/aguida# kubectl get NetworkPolicy -A
NAMESPACE NAME POD-SELECTOR AGE
calico-apiserver allow-apiserver apiserver=true 13d
cattle-fleet-local-system default-allow-all <none> 13dc
clean-magazine-25026
06/29/2022, 8:29 PMif you have CLI access, run
show useris admin user listed?
If so; then scale controller to replicas=1 and enabled cpath debugging; then attempt login and look for lines with [A|a]uthen from DEBUG level.
also strange you say you can authentication with CLI as CLI auth is the same as webui auth as both are REST API against /v1/auth endpoint to the controller
f
fancy-receptionist-50750
06/29/2022, 8:32 PMHi @clean-magazine-25026. On one of my previous posts, I uploaded an image that show the admin user and a user that I created for me, aguida, from the CLI. So the authentication from the CLI os working right.