Symptom:
After we implemented dex +
github via link. With
example-app,we are able to get ID-token via http://127.0.0.1:5555/
With ID-token, we construct kubeconfig, but when we access k8s cluster we hit
error:
error: You must be logged in to the server (Unauthorized)
In kube api server logs, we see error:
invalid bearer token, oidc: verify token: oidc: expected audience \"123456\" got [\"example-app\"]]"
Triage:
Check payload and verify JWT ID-token on https://jwt.ioCheck dex container logs
Find similar issues in github link1 link2
Solution:
It turns out the client-id is not matched.
The client-id set on K8S API server (--oidc-client-id) link needs to match the client-id in example-app.
In above example, “123456” is the one I set on K8S API server, while client-id is “example-app” in the example-app which caused the problem