-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improved message when not authorised to list namespaces #71
Comments
You should be able to use Kubebox just for the namespaces you're granted access to. What error do you face? |
The login fails with "Authentication failed" and I'm being asked for an username and a password. The cluster runs in AWS and I have the AWS credentials set. Because of that I don't really have a username or password to set. Kubectl can be executed perfectly fine. |
AWS EKS is supposed to be working :( There have been some issues that may provide some context: #32 #60. What version of Kubebox do you use? Could you provide the content of your kubeconfig file? In the meantime, you can run:
To get a token to authenticate with Kubebox. |
Of course :) that's the content of the kubeconfig. I hope it's ok, that I replaced personal information with placeholders. But I didn't change the structure of the content.
I'm using kubebox v0.6.1 How can I replace the token in the login screen? I'm too stupid right now sry |
Thanks for the details. Nothing obvious so we'll have to try reproducing. There is a token field in the login window, below the username and password fields. You can paste the token retrieve from AWS CLI. |
@vgibilmanno perhaps some useful info would be to run the command locally yourself:
|
@johnpoth I get the following
|
@johnpoth could it be that the |
Hi @astefanutti so the expired is always set to now:
So the token is always refreshed even if it's still valid on the first run. Therefore I think the problem lies elsewhere but I may be wrong... @vgibilmanno have you tried pasting the TOKEN you got from running the command into the kubebox login screen ? This should help narrow things down a bit... thanks |
@johnpoth I can't paste the token in the login screen. The paste command is not working and I would have to type in the whole token manually. I'm using alpine linux v3.10 in case that's relevant. |
@astefanutti I hadn't thought about that... judging from the feedback #60 I'm thinking it might be something different ? It may be interesting for @vgibilmanno to use the Token directly and see if Kubebox can connect to the cluster ? |
@vgibilmanno could you update your kubeconfig manually and add a
Then run Kubebox? The token should be picked-up by Kubebox. |
@astefanutti Doesn't work. The token displayed in the login screen is not the same as I entered in the kubeconfig. My config file is located under /root/.kube/config |
@vgibilmanno the token may just be truncated in the UI. Have you changed the |
@vgibilmanno Can you also just try a second time connecting, by just pressing enter when the login widget displays with the error message? |
@astefanutti I tried, but it doesn't work. I'm getting the "authentication failed" message. The token doesn't seem to be the one I define in the kubeconfig. I looked for some substring (last 5 characters) but it doesn't match |
@vgibilmanno thanks for the feedback. Would you mind checking you have only one context defined in your kubeconfig file? |
@astefanutti There is only one context defined. It's exactly like the one I posted before with the addition, that tere is a token value inside the user field. |
@vgibilmanno thanks. May I ask, is there a token filled in the login widget when using the original kubeconfig, before adding the token manually to it? Finally could you double check the cluster URL displayed in the login widget is the correct one? |
@astefanutti When I use the original kubeconfig, there is a token filled in the login widget. The cluster URL displayed in the login widget is correct. |
@vgibilmanno thanks again. Just one last test if you don't mind (sorry). Could you re-try the same test of adding the token manually to your kubeconfig file AND removing the whole |
@astefanutti Now the correct token is displayed, but the authentication fails. I tried pressing enter/log-in multiple times in series |
OK thanks a lot! So there is a request Kubebox does and that's not authorised for your user. Let me check and come back to you. Thanks again! |
@vgibilmanno if you could try executing the following commands and provide the results: $ curl -k -v -H "Authorization: Bearer <TOKEN>" https://OMITTED.amazonaws.com/
$ curl -k -v -H "Authorization: Bearer <TOKEN>" https://OMITTED.amazonaws.com/api
$ curl -k -v -H "Authorization: Bearer <TOKEN>" https://OMITTED.amazonaws.com/api/v1/namespaces |
@astefanutti All 3 requests fail with the following message
|
@vgibilmanno thanks, just to be sure, could you try with a fresh token that you've just retrieve with |
@johnpoth I see the |
401 means that the provided token cannot be authenticated to a known identity. It's like the token used is not correct. Maybe there is an encoding issue when Kubebox reads from |
@vgibilmanno by any chance, would you be able to clone this repository and run Kubebox from source? |
@astefanutti Yes I'm able to 👍 |
@vgibilmanno awesome! You'll need Node.js installed, so if you can:
Thanks again! |
@astefanutti I get the following in the response.json
|
@vgibilmanno thanks. Could you try running:
by taking |
@astefanutti When I enter the cluster name in I get the following:
When I enter the cluster address in I get the following:
|
@vgibilmanno could you try:
and provide the output of:
I suspect there are some environment variables that come into the play. |
@astefanutti So the command again fails with:
And have the following entries in env:
|
Damn, would you mind now trying:
(if you don't have |
@astefanutti |
@vgibilmanno could you check any difference between the token from |
@astefanutti The tokens are different. The first 190 characters are identical. The next some thousand characters are different. |
I don't understand why it does not work when a token generated with AWS CLI, that verifies correctly, is copied into the kubeconfig file and used by Kubebox. And why a token generated within Kubebox does not verify! I've stumbled upon kubernetes-sigs/aws-iam-authenticator#157. I'm not sure if that applies to that issue to some extent. |
@vgibilmanno could you try:
|
@astefanutti This one worked!
|
@vgibilmanno, good, what about:
|
@astefanutti Only the 2. command worked. The other fails with statuscode 403 Forbidden. The 2. command has the following response body:
I tried the following command and it worked too returning a huge json object:
|
@vgibilmanno thanks a lot. Can you confirm the following command returns 403:
|
@astefanutti Yes
|
OK so I think we've nail down the root cause of this issue. Your user account is not granted permission to list namespaces. As as work-around, could you update your kubeconfig file and add the namespace you have access to, e.g.:
Then run Kubebox. |
@astefanutti ok yes now it works. But it seems like I don't have permissions to see the resources usage metrics. I can execute kubectl top pod though. Well... better than nothing :) I hope I didn't waste too much of your time. |
@vgibilmanno great! thanks for the feedback. Resources usage metrics requires extra permissions to proxy nodes. Thanks a lot for your collaboration on this. I think we can let that issue open so that we improve the error message when the user is granted permission to list the namespaces and no namespace is provided. |
I'm 99% sure this issue will cover this but I get an ugly error when I try and list namespaces. I only have access to a single namespace, and it works fine otherwise, but if I hit N to list namespaces this comes up. I understand why it won't let me, but catching the error with a better message would be cool. |
@bradamson thanks a lot for the feedback. I agree with your suggestion to catch the error and display a proper message in the namespaces list box, instead of dumping the stack trace. |
I can't use kubebox when I only have access to a namespace in a cluster. It would be awesome if I could use kubebox just for the namespace I have access to, ignoring everything outside the namespace.
The text was updated successfully, but these errors were encountered: