Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth token invalid after first use #461

Open
hood opened this issue Sep 27, 2024 · 1 comment
Open

Auth token invalid after first use #461

hood opened this issue Sep 27, 2024 · 1 comment

Comments

@hood
Copy link

hood commented Sep 27, 2024
edited
Loading

Hi, I’m deploying skooner in a k3s cluster in with the following configuration:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: skooner
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: skooner
      app: skooner
  template:
    metadata:
      labels:
        k8s-app: skooner
        app: skooner
    spec:
      containers:
      - name: skooner
        image: ghcr.io/skooner-k8s/skooner:stable
        ports:
        - containerPort: 4654
        livenessProbe:
          httpGet:
            scheme: HTTP
            path: /
            port: 4654
          initialDelaySeconds: 30
          timeoutSeconds: 30
      nodeSelector:
        'kubernetes.io/os': linux

---

apiVersion: v1
kind: Service
metadata:
  name: skooner
  namespace: kube-system
spec:
  ports:
    - port: 80
      targetPort: 4654
  selector:
    k8s-app: skooner
    app: skooner

---

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: skooner-ingress
  namespace: kube-system
spec:
  rules:
    - host: skooner.mydomain.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: skooner
                port:
                  number: 80

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: skooner-sa
  namespace: kube-system

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: skooner-sa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: skooner-sa
  namespace: kube-system

and then generating credentials the following way:

kubectl create token skooner-sa

The problem is that the token that gets generated is valid the first time I enter it in the login page, but then after the first use I get a 401 Api request error: - Unauthorized response blocking my access.

Another interesting thing is that I suspect that an error banner is supposed to appear, but it only flashes for a few milliseconds before disappearing.

Logs for a failed attempt look like the following:

2024-09-27T18:47:22.593Z GET / 200                                                                                                                       │
2024-09-27T18:47:32.617Z GET / 200                                                                                                                       │
2024-09-27T18:47:42.593Z GET / 200                                                                                                                       │
[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://<redacted>:443                                                                │
[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://<redacted>:443                                                                │
2024-09-27T18:47:50.346Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401                                                                  │
2024-09-27T18:47:50.347Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401                                                                  │
[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://<redacted>:443                                                                │
2024-09-27T18:47:50.415Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401                                                                  │
[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://<redacted>:443                                                                │
2024-09-27T18:47:50.426Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401                                                                  │
2024-09-27T18:47:50.432Z GET / 304
@kkashyap1707
Copy link

kkashyap1707 commented Oct 10, 2024
edited
Loading

I am facing the same issue. any update?

2024-10-10T08:22:29.719Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 403

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kkashyap1707 @hood