This message was deleted.
# kubernetes
a
This message was deleted.
m
do you want to use oidc as well as rancher for authentication or is this without rancher, just RKE? I've only set up KC as a Rancher Auth Provider, but I find your question intruiging.
l
I'm trying to use a 3rd party application that won't really work with the way rancher handles users and stuff, so it needs to point directly to the cluster. So, yes, rancher will use OIDC if people need to log into directly, but this one app would have to go around the back
m
I have a feeling you need to set oidc as an extra authentication method in the kubelet args somewhere, not just the oidc settings
l
hmm. I'm not sure where that would be (I haven't seen anything online anywhere for it)...maybe other K8s distros don't need those options by default and rke does.
m
yes you're right, at least the k8s.io docs don't mention anything other than the params you provided
but it might conflict with the rancher authentication? 🤷‍♂️
l
I wouldn't be surprised about anything.
m
try it with an rke cluster that isn't provisioned via rancher
l
I think that was one of my next things to try,
m
l
By any chance have you connected directly to the rancher api (through kubectl) using the oidc token rather than a Rancher token?
m
I haven't done that, as I mentioned we only use oidc / keycloak as the login auth provider.
l
Ok. I was just looking at this vague documentation page: https://ranchermanager.docs.rancher.com/v2.7/reference-guides/cli-with-rancher/kubectl-utility....but I think I'd still need to make a user API token, which defeats the purpose
m
yes, I know what you mean
it only means that you can refresh your rancher token with the
kubectl
cli instead of the webui
c
Have you by any chance figured this out? I'm in the same situation and pretty much have the exact same symptoms as you do. The kube apiserver isn't providing any useful logs and I just get the 'must be logged in' message.
200 Views