https://rancher.com/ logo
l

loud-daybreak-83328

01/26/2023, 6:36 PM
Hi. Has anyone successfully gotten RKE to use OIDC (Keycloak) as an authentication provider? This is separate from the Rancher front-end, just the cluster itself. I have this config set in the kube-api extra_args section:
Copy code
oidc-client-id: <http://myclient.example.org|myclient.example.org>
          oidc-groups-claim: groups
          oidc-issuer-url: <https://keycloak.example.org/realms/test>
          oidc-username-claim: preferred_username
When I get a token and try to use it to authenticate (just did a kubectl --token=XXXXXXXXXX get nodes, I get a message: error: You must be logged in to the server (the server has asked for the client to provide credentials) and the kube-api server just logs this:
Copy code
time="2023-01-26T18:31:29Z" level=info msg="Processing v1Authenticate request..."
time="2023-01-26T18:31:29Z" level=error msg="found 1 parts of token"
has anyone done this?
m

microscopic-diamond-94749

01/26/2023, 6:46 PM
do you want to use oidc as well as rancher for authentication or is this without rancher, just RKE? I've only set up KC as a Rancher Auth Provider, but I find your question intruiging.
l

loud-daybreak-83328

01/26/2023, 6:48 PM
I'm trying to use a 3rd party application that won't really work with the way rancher handles users and stuff, so it needs to point directly to the cluster. So, yes, rancher will use OIDC if people need to log into directly, but this one app would have to go around the back
m

microscopic-diamond-94749

01/26/2023, 6:54 PM
I have a feeling you need to set oidc as an extra authentication method in the kubelet args somewhere, not just the oidc settings
l

loud-daybreak-83328

01/26/2023, 6:57 PM
hmm. I'm not sure where that would be (I haven't seen anything online anywhere for it)...maybe other K8s distros don't need those options by default and rke does.
m

microscopic-diamond-94749

01/26/2023, 6:59 PM
yes you're right, at least the k8s.io docs don't mention anything other than the params you provided
but it might conflict with the rancher authentication? 🤷‍♂️
l

loud-daybreak-83328

01/26/2023, 6:59 PM
I wouldn't be surprised about anything.
m

microscopic-diamond-94749

01/26/2023, 7:00 PM
try it with an rke cluster that isn't provisioned via rancher
l

loud-daybreak-83328

01/26/2023, 7:01 PM
I think that was one of my next things to try,
m

microscopic-diamond-94749

01/26/2023, 7:01 PM
l

loud-daybreak-83328

01/27/2023, 11:33 AM
By any chance have you connected directly to the rancher api (through kubectl) using the oidc token rather than a Rancher token?
m

microscopic-diamond-94749

01/27/2023, 11:36 AM
I haven't done that, as I mentioned we only use oidc / keycloak as the login auth provider.
l

loud-daybreak-83328

01/27/2023, 11:38 AM
Ok. I was just looking at this vague documentation page: https://ranchermanager.docs.rancher.com/v2.7/reference-guides/cli-with-rancher/kubectl-utility....but I think I'd still need to make a user API token, which defeats the purpose
m

microscopic-diamond-94749

01/27/2023, 11:43 AM
yes, I know what you mean
it only means that you can refresh your rancher token with the
kubectl
cli instead of the webui
127 Views