You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I`m trying to use rancher-capsule addon and capsule proxy together,
for local users in rancher everything go fine, I can get list of namespaces from tenant etc
but in case of using ActiveDirectory user
I have error in logs and
kubectl get ns
error: converting (v1.Status) to (v1.APIVersions): unknown conversion
Look like groups with commas in there name are splitting cannot impersonate the group activedirectory_group://CN=vault_mas_ro
because real group name look like activedirectory_group://CN=vault_mas_ro,OU=Vault,OU=Test,DC=OFFICE,DC=CORP,DC=LOC
How to reproduce
Use rancher-capsule addon and capsule proxy together,
try to auth over oidc in rancher(like activedirectory)
try to get namespace list
Expected behavior
Namespace list should be shown
Impersonation in log should be ok, like
{"level":"Level(-4)","ts":"2023-06-21T15:22:30.906Z","logger":"proxy","msg":"impersonating for the current request","username":"u-2pvg6","groups":["system:serviceaccounts","system:serviceaccounts:cattle-system","system:authenticated"],"uri":"/apis/rke.cattle.io/v1"}
Logs
{"level":"Level(-4)","ts":"2023-06-21T15:14:37.105Z","logger":"proxy","msg":"allowed url path.","url path":"/api"}
2023/06/21 15:14:37 cannot retrieve user and group: the current user system:serviceaccount:cattle-system:pod-impersonation-shell-m7wmv cannot impersonate the group activedirectory_group://CN=vault_mas_ro
Additional context
Capsule-Proxy version: (0.4.4)
Capsule rancher addon version: 0.1.1
Helm Chart version: (0/4.9)
Kubernetes version: (1.24.13)
The text was updated successfully, but these errors were encountered:
Bug description
I`m trying to use rancher-capsule addon and capsule proxy together,
for local users in rancher everything go fine, I can get list of namespaces from tenant etc
but in case of using ActiveDirectory user
I have error in logs and
Look like groups with commas in there name are splitting
cannot impersonate the group activedirectory_group://CN=vault_mas_ro
because real group name look like
activedirectory_group://CN=vault_mas_ro,OU=Vault,OU=Test,DC=OFFICE,DC=CORP,DC=LOC
How to reproduce
Use rancher-capsule addon and capsule proxy together,
try to auth over oidc in rancher(like activedirectory)
try to get namespace list
Expected behavior
Namespace list should be shown
Impersonation in log should be ok, like
Logs
Additional context
The text was updated successfully, but these errors were encountered: