How to debug user's not being given permissions in Dashboard (probably due to the LDAP group not being found)? #915
Description
Hi Marc,
TL;DR: is there a way to debug why a user has no permissions in the Kubernetes dashboard, even though there is a ClusterRoleBinding giving a LDAP group cluster-admin permissions?
I have a demo setup with a ApacheDS LDAP server and OpenUnison, both running on k3s.
I have three users in LDAP, but only one of them is a member of the k8s-cluster-admins group. I can log into OpenUnison and the Kubernetes Dashboard with all three of them, so LDAP in general seems to be working.
But for all of them I get the error notifications due to missing permissions, while one of them should have enough permissions.
I do not think that I can configure any more of the AD/LDAP-related settings than this block in the values.yaml file:
active_directory:
base: "DC=apacheds,DC=vagrant-libvirt,DC=org"
host: "apacheds.apacheds.svc.cluster.local"
port: "389"
bind_dn: "uid=admin,ou=system"
con_type: ldap
srv_dns: "false"
The group in question looks like this:
dn: CN=k8s-cluster-admins,OU=Groups,DC=apacheds,DC=vagrant-libvirt,DC=org
objectClass: group
cn: k8s-cluster-admins
member: CN=hpotter,OU=Users,DC=apacheds,DC=vagrant-libvirt,DC=org
The ClusterRoleBinding (adapted from the OpenUnison documentation):
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2024-07-26T05:04:40Z"
name: all-ldap-users-are-cluster-admins
resourceVersion: "847"
uid: 3db10840-f5b6-46db-ad77-f5d796b91907
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: CN=k8s-cluster-admins,OU=Groups,DC=apacheds,DC=vagrant-libvirt,DC=org
Maybe you (or someone else reading this) can spot my mistake or give an idea how and where to start digging.
Thanks in advance!
Kind Regards
Johannes