Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot impersonate user with active_directory group from rancher #305

Closed
msergg opened this issue Jun 21, 2023 · 0 comments · Fixed by #306
Closed

Cannot impersonate user with active_directory group from rancher #305

msergg opened this issue Jun 21, 2023 · 0 comments · Fixed by #306
Assignees
Labels
bug Something isn't working
Milestone

Comments

@msergg
Copy link

msergg commented Jun 21, 2023

Bug description

I`m trying to use rancher-capsule addon and capsule proxy together,
for local users in rancher everything go fine, I can get list of namespaces from tenant etc

but in case of using ActiveDirectory user
I have error in logs and

kubectl get ns
error: converting (v1.Status) to (v1.APIVersions): unknown conversion

Look like groups with commas in there name are splitting
cannot impersonate the group activedirectory_group://CN=vault_mas_ro

because real group name look like
activedirectory_group://CN=vault_mas_ro,OU=Vault,OU=Test,DC=OFFICE,DC=CORP,DC=LOC

How to reproduce

Use rancher-capsule addon and capsule proxy together,
try to auth over oidc in rancher(like activedirectory)
try to get namespace list

Expected behavior

Namespace list should be shown
Impersonation in log should be ok, like

{"level":"Level(-4)","ts":"2023-06-21T15:22:30.906Z","logger":"proxy","msg":"impersonating for the current request","username":"u-2pvg6","groups":["system:serviceaccounts","system:serviceaccounts:cattle-system","system:authenticated"],"uri":"/apis/rke.cattle.io/v1"}

Logs

{"level":"Level(-4)","ts":"2023-06-21T15:14:37.105Z","logger":"proxy","msg":"allowed url path.","url path":"/api"}
2023/06/21 15:14:37 cannot retrieve user and group: the current user system:serviceaccount:cattle-system:pod-impersonation-shell-m7wmv cannot impersonate the group activedirectory_group://CN=vault_mas_ro

Additional context

  • Capsule-Proxy version: (0.4.4)
  • Capsule rancher addon version: 0.1.1
  • Helm Chart version: (0/4.9)
  • Kubernetes version: (1.24.13)
@msergg msergg added the bug Something isn't working label Jun 21, 2023
@prometherion prometherion self-assigned this Jun 21, 2023
@prometherion prometherion added this to the v0.4.5 milestone Sep 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants