无法验证请求“err=”无效的承载令牌

Question

我试图让我的kubernetes仪表板使用keycloak身份提供者进行身份验证，但获得无效的承载令牌。这是细节。

对于keycloak，我已经设置了一个客户端-网关管理员，用户- alice部分的组-开发人员。还对用户属性'name‘和组成员属性'groups’进行了映射。我可以使用kubectl命令行实用程序成功地测试设置，但无法通过仪表板成功。

当我访问Unauthorized dashboard.localdev.me:8081/时，我能够使用keycloak进行身份验证，并且可以加载kubernetes仪表板，但是我得到了未经授权的通知，并且即使我已经向用户'alice‘提供了使用RBAC的所需权限级别，也无法在仪表板中列出我的资源。

Kubernetes团簇

NAME         STATUS   ROLES                  AGE   VERSION   INTERNAL-IP       EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION      CONTAINER-RUNTIME
kubemaster   Ready    control-plane,master   11d   v1.23.1   192.168.122.54    <none>        Ubuntu 20.04.3 LTS   5.11.0-43-generic   docker://20.10.12
kubenode     Ready    <none>                 11d   v1.23.1   192.168.122.198   <none>        Ubuntu 20.04.3 LTS   5.11.0-43-generic   docker://20.10.12

入口控制器-

https://kubernetes.github.io/ingress-nginx/

键盘斗篷IDP的API服务器配置

...
    - --oidc-issuer-url=https://kubemaster:8443/auth/realms/local
    - --oidc-client-id=gatekeeper
    - --oidc-username-claim=name
    - --oidc-groups-claim=groups
    - --oidc-ca-file=/etc/kubernetes/ssl/kubemaster.crt
...

钥匙斗篷码头服务器

version: '3.8'
services:

  keycloak:
    #image: rsk-internal-docker.dkrreg.mmih.biz/risk-keycloak:15.0.1-1
    image: quay.io/keycloak/keycloak:16.1.0
    environment:
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: admin
      PROXY_ADDRESS_FORWARDING: "true"
    ports:
      - "8080:8080"
      - "8443:8443"
    volumes:
    - "$PWD/tls.key:/etc/x509/https/tls.key"
    - "$PWD/tls.crt:/etc/x509/https/tls.crt"
    - "$PWD/keycloak-latest-db:/opt/jboss/keycloak/standalone/data"

kubernetes仪表板-来自kubernetes文档的recommended.yml定义文件。

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.4.0/aio/deploy/recommended.yaml

看门人oauth代理

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    k8s-app: gatekeeper-proxy
  name: gatekeeper-proxy
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: gatekeeper-proxy
  template:
    metadata:
      labels:
        k8s-app: gatekeeper-proxy
    spec:
      containers:
      - command:
        - /opt/keycloak-gatekeeper
        - --discovery-url=https://192.168.122.54:8443/auth/realms/local
        - --client-id=gatekeeper
        - --client-secret=jZzvJ0wCDDwltV3tAf0SXSbVoKXM1RqV
        - --listen=0.0.0.0:3000
        - --encryption-key=vGcLt8ZUdPX5fXhtLZaPHZkGWHZrT6aa
        - --redirection-url=https://kubernetes-dashboard.localdev.me:8081/
        - --enable-refresh-tokens=true
        - --upstream-url=https://kubernetes-dashboard
        - --skip-openid-provider-tls-verify=true
        - --secure-cookie=false
        image: keycloak/keycloak-gatekeeper:latest
        #image: carlosedp/keycloak-gatekeeper:latest
        imagePullPolicy: Always
        name: gatekeeper-proxy
        ports:
        - containerPort: 3000
          protocol: TCP
          name: http
---

apiVersion: v1
kind: Service
metadata:
  labels:
    k8s-app: gatekeeper-proxy
  name: gatekeeper-proxy
  namespace: kubernetes-dashboard
spec:
  ports:
  - name: http
    port: 3000
    protocol: TCP
    targetPort: 3000
  selector:
    k8s-app: gatekeeper-proxy

---

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    #nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
    #nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
    #kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
    #cert-manager.io/cluster-issuer: ca-issuer
  name: gatekeeper-proxy
  namespace: kubernetes-dashboard
spec:
  ingressClassName: nginx
  rules:
  - host: kubernetes-dashboard.localdev.me
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: gatekeeper-proxy
            port:
              number: 3000
  tls:
  - hosts:
    - kubernetes-dashboard.localdev.me
    secretName: kubernetes-dashboard-ingress-tls

门守代理日志-显示、生成和注入令牌

1.641220737766937e+09   info    starting the service    {"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "7.0.0 (git+sha: f66e137, built: 03-09-2019)"}
1.6412207377670407e+09  info    attempting to retrieve configuration discovery url  {"url": "https://192.168.122.54:8443/auth/realms/local", "timeout": "30s"}
1.6412207377766109e+09  info    successfully retrieved openid configuration from the discovery
1.641220737778449e+09   info    enabled reverse proxy mode, upstream url    {"url": "https://kubernetes-dashboard"}
1.6412207377785714e+09  info    using session cookies only for access and refresh tokens
1.6412207377785907e+09  info    adding a default denial into the protected resources
1.641220737778598e+09   info    protecting resource {"resource": "uri: /*, methods: DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT,TRACE, required: authentication only"}
1.6412207377788239e+09  info    keycloak proxy service starting {"interface": "0.0.0.0:3000"}
1.6412207747293563e+09  info    accces token for user has expired, attemping to refresh the token   {"client_ip": "192.168.1.107:42948", "email": "alice@stack.com"}
1.6412207747479768e+09  info    injecting the refreshed access token cookie {"client_ip": "192.168.1.107:42948", "cookie_name": "kc-access", "email": "alice@stack.com", "refresh_expires_in": 1800, "expires_in": 299.252029216}

API服务器日志-

E0103 14:43:23.960726       1 authentication.go:63] "Unable to authenticate the request" err="invalid bearer token"
E0103 14:43:23.961244       1 authentication.go:63] "Unable to authenticate the request" err="invalid bearer token"
E0103 14:43:23.962304       1 authentication.go:63] "Unable to authenticate the request" err="invalid bearer token"
E0103 14:43:23.991455       1 authentication.go:63] "Unable to authenticate the request" err="invalid bearer token"
E0103 14:43:23.991526       1 authentication.go:63] "Unable to authenticate the request" err="invalid bearer token"
E0103 14:43:23.991602       1 authentication.go:63] "Unable to authenticate the request" err="invalid bearer token"

ClusterRole和ClusterRoleBinding

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: developer-role
rules:
  - apiGroups: [""]
    resources: ["namespaces","pods"]
    verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: developer-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: developer-role
subjects:
- kind: Group
  name: "developers"

如果我在这里漏掉了什么，请提出建议。如果与我目前使用的kubernetes集群、keycloak服务器和网关守代理服务器的版本有任何兼容性问题。如果有，我可以在这方面做更多的疑难解答。请建议一下。

谢谢苏迪尔

Answer 1

图像‘keycloak/keycloak-网关守护者:最新’不再被支持，并且根据钥匙斗篷入口的建议，我选择了oauth2-proxy作为实现。

以下是使用OAuth2代理和keycloak oidc进行kubernetes身份验证的解决方案细节，由self - oauth2成功后无法加载kubernetes仪表板解析。