We add a new oidc parameter for kube-apiserver to integrate with openID Dex.
The parameter is --oidc-groups-prefix=oidc:
After that, kubelet can't start kube-apiserver static pod, and no obvious error reported
The issue is to ":" which is special character. It prevents kubelet to parse the parameter.
The right way is to quote it. "--oidc-groups-prefix=oidc:" See more details in this github thread
After we implemented dex +
github via link. With
example-app,we are able to get ID-token via http://127.0.0.1:5555/
With ID-token, we construct kubeconfig, but when we access k8s cluster we hit
error:
error: You must be logged in to the server (Unauthorized)
In kube api server logs, we see error:
invalid bearer token, oidc: verify token: oidc: expected audience \"123456\" got [\"example-app\"]]"
Check dex container logs
Find similar issues in github link1 link2
It turns out the client-id is not matched.
The client-id set on K8S API server (--oidc-client-id) link needs to match the client-id in example-app.
In above example, “123456” is the one I set on K8S API server, while client-id is “example-app” in the example-app which caused the problem