Hi, we are trying to enable ACE with AzureAD on an RKE2 (v2.8.x) cluster. Additional API server Args are set up in cluster configuration with --oidc-issuer-url, --oidc-client-id, --oidc-username-claim and then kubeconfig is setup to use kubelogin with the same settings. When trying to connect to the API on the controlplane directly:
14:31:56 > kgp
To sign in, use a web browser to open the page Sign in to your account and enter the code XXXXXXX to authenticate.
E0807 14:32:14.823677 206380 memcache.go:265] couldn’t get current server API group list: the server has asked for the client to provide credentials
E0807 14:32:14.836536 206380 memcache.go:265] couldn’t get current server API group list: the server has asked for the client to provide credentials
E0807 14:32:14.850393 206380 memcache.go:265] couldn’t get current server API group list: the server has asked for the client to provide credentials
E0807 14:32:14.865595 206380 memcache.go:265] couldn’t get current server API group list: the server has asked for the client to provide credentials
E0807 14:32:14.880187 206380 memcache.go:265] couldn’t get current server API group list: the server has asked for the client to provide credentials
error: You must be logged in to the server (the server has asked for the client to provide credentials)
exit status 1
Logs from kube-api-auth say:
time=“2024-08-07T12:32:14Z” level=info msg=“Processing v1Authenticate request…”
time=“2024-08-07T12:32:14Z” level=error msg=“found 1 parts of token”
Which seem to indicate that there is something missing from the token, but it seems to be correct when inspecting the token in jwt.io. Anyone have any ideas?