oauth-proxy with customer resources in OpenShift Container Platform
Issue
- We are trying to authenticate users (
system:authenticated
,system:authenticated:oauth
) on Prometheus using an oauth-proxy sidecar container and checking access permissions against a CustomRessource. Unfortunately this does not work and we are always seeingoauthproxy.go:439: ErrorPage 403 Permission Denied Invalid Account
with the belowoauth-proxy
configuration.
- args:
- '--https-address=:8443'
- '--http-address='
- '--provider=openshift'
- '--openshift-service-account=prometheus'
- '--upstream=http://localhost:9090'
- '--tls-cert=/etc/tls/private/tls.crt'
- '--tls-key=/etc/tls/private/tls.key'
- >-
--validate-url=https://openshift.default.svc.cluster.local/oapi/v1/users/~
- >-
--redeem-url=https://openshift.default.svc.cluster.local/oauth/token
- >-
--openshift-review-url=https://openshift.default.svc.cluster.local/oapi/v1/subjectaccessreviews
- >-
--openshift-delegate-urls={"/":{ "resource":"foo",
"verb":"get",
"namespace":"example"
}}
- >-
--openshift-sar={"apiVersion": "v1", "kind":
"SubjectAccessReview", "resource": "foo", "verb": "get",
"namespace": "example-test"
}
- '--cookie-secret-file=/etc/proxy/secrets/session_secret'
- '--htpasswd-file=/etc/proxy/htpasswd'
Environment
- Red Hat OpenShift Container Platform 3 and 4
oauth-proxy
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.