Skip to content
This repository has been archived by the owner on May 17, 2024. It is now read-only.

ClusterRole does not allow adding header when using --extra-user-header-client-ip #180

Open
justinas-b opened this issue Dec 23, 2020 · 0 comments
Open

ClusterRole does not allow adding header when using --extra-user-header-client-ip #180

justinas-b opened this issue Dec 23, 2020 · 0 comments

Comments

@justinas-b
Copy link
Contributor

When using --extra-user-header-client-ip argument kube-oidc-proxy is unable to impersonate resource userextras/remote-client-ip with following error:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "userextras.authentication.k8s.io \"10.251.176.235:50924\" is forbidden: User \"system:serviceaccount:kube-oidc-proxy:kube-oidc-proxy\" cannot impersonate resource \"userextras/remote-client-ip\" in API group \"authentication.k8s.io\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "name": "10.251.176.235:50924",
    "group": "authentication.k8s.io",
    "kind": "userextras"
  },
  "code": 403
}
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@justinas-b