wgldk (wgldk) asked a question.
Hello Community,
I'm facing some issues with Okta OIDC authentication for Anthos cluster on AWS(Kubernetes cluster). We have an enterprise customer who wants to authenticate Kubernetes cluster using okta groups. We are able to authenticate using okta user with Kubernetes, but when we try to authenticate with okta group its throws following error (Mentioned below).
Could you please help me with the configuration for the same.
OIDC configuration:
oidc:
- clientID: 111122223333444
clientSecret: 111122223333444
extraParams: prompt=consent,resource=token-groups-claim
issuerURI: https://example.okta.com
kubectlRedirectURI: http://localhost:2000/callback
scopes: email profile openid offline_access groups
userClaim: "email"
groupsClaim: "groups"
Kubernetes ClusterRoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: okta-cluster-admins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: sample
Error which I am facing:
Error from server (Forbidden): pods is forbidden: User "abc@example.com" cannot list resource "pods" in API group "" in the namespace "default"
This is Florin from Okta support. You can open a support case with us to further look into it.
When you are constructing your Okta integration, you can post a question on the Okta Developer Forum .
You can contact our developers at developers@okta.com and send them an email regarding the issue you are experiencing with detailed explanation.
Have a great day ahead!
Any solutions for this above issue? Please suggest/re-direct to the solution page. I appreciate.