Hi Has anyone successfully gotten RKE to use OIDC Keycloak a rancher-users #kubernetes

Title

loud-daybreak-83328

01/26/2023, 6:36 PM

Hi. Has anyone successfully gotten RKE to use OIDC (Keycloak) as an authentication provider? This is separate from the Rancher front-end, just the cluster itself. I have this config set in the kube-api extra_args section:

Copy code

oidc-client-id: <http://myclient.example.org|myclient.example.org>
          oidc-groups-claim: groups
          oidc-issuer-url: <https://keycloak.example.org/realms/test>
          oidc-username-claim: preferred_username

When I get a token and try to use it to authenticate (just did a kubectl --token=XXXXXXXXXX get nodes, I get a message: error: You must be logged in to the server (the server has asked for the client to provide credentials) and the kube-api server just logs this:

Copy code

time="2023-01-26T18:31:29Z" level=info msg="Processing v1Authenticate request..."
time="2023-01-26T18:31:29Z" level=error msg="found 1 parts of token"

has anyone done this?

microscopic-diamond-94749

01/26/2023, 6:46 PM

do you want to use oidc as well as rancher for authentication or is this without rancher, just RKE? I've only set up KC as a Rancher Auth Provider, but I find your question intruiging.

loud-daybreak-83328

01/26/2023, 6:48 PM

I'm trying to use a 3rd party application that won't really work with the way rancher handles users and stuff, so it needs to point directly to the cluster. So, yes, rancher will use OIDC if people need to log into directly, but this one app would have to go around the back

microscopic-diamond-94749

01/26/2023, 6:54 PM

I have a feeling you need to set oidc as an extra authentication method in the kubelet args somewhere, not just the oidc settings

loud-daybreak-83328

01/26/2023, 6:57 PM

hmm. I'm not sure where that would be (I haven't seen anything online anywhere for it)...maybe other K8s distros don't need those options by default and rke does.

microscopic-diamond-94749

01/26/2023, 6:59 PM

yes you're right, at least the k8s.io docs don't mention anything other than the params you provided

but it might conflict with the rancher authentication? 🤷‍♂️

loud-daybreak-83328

01/26/2023, 6:59 PM

I wouldn't be surprised about anything.

microscopic-diamond-94749

01/26/2023, 7:00 PM

try it with an rke cluster that isn't provisioned via rancher

loud-daybreak-83328

01/26/2023, 7:01 PM

I think that was one of my next things to try,

microscopic-diamond-94749

01/26/2023, 7:01 PM

this is what I had in mind before though https://rancher.com/docs/rke/latest/en/config-options/authentication/

loud-daybreak-83328

01/27/2023, 11:33 AM

By any chance have you connected directly to the rancher api (through kubectl) using the oidc token rather than a Rancher token?

microscopic-diamond-94749

01/27/2023, 11:36 AM

I haven't done that, as I mentioned we only use oidc / keycloak as the login auth provider.

loud-daybreak-83328

01/27/2023, 11:38 AM

Ok. I was just looking at this vague documentation page: https://ranchermanager.docs.rancher.com/v2.7/reference-guides/cli-with-rancher/kubectl-utility....but I think I'd still need to make a user API token, which defeats the purpose

microscopic-diamond-94749

01/27/2023, 11:43 AM

yes, I know what you mean

it only means that you can refresh your rancher token with the

kubectl

cli instead of the webui

127 Views