Login through OIDC provider into RKE2 cluster succeeds, but cluster returns 403

[geckiss]

Describe the issue

I was able to configure our RKE2 cluster to authenticate users against our IdP. After logging in, IdP returns "You have logged in to the cluster. You can close this window.", but the cluster returns Error from server (Forbidden): {"Code":{"Code":"Forbidden","Status":403},"Message":"clusters.management.cattle.io \"c-m-w7fq4hm2\" is forbidden: User \"system:unauthenticated\" cannot get resource \"clusters\" in API group \"management.cattle.io\" at the cluster scope","Cause":null,"FieldName":""} (get nodes). Is there a misconfiguration in our cluster or is it something else?

To reproduce

Follow this guide: https://github.com/int128/kubelogin/blob/master/docs/setup.md

Step 3.: kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-owner --user='oidc:me@example.com'
Step 4.: Edit /etc/rancher/rke2/config.yaml so it looks like this:

kube-apiserver-arg:
  - "--oidc-issuer-url=https://my.idp.com/oidc/"
  - "--oidc-client-id=myclientid123"
  - "--oidc-username-claim=email"
  - "--oidc-username-prefix=oidc:"

Step 5.:
kubectl config set-credentials oidc --exec-api-version=client.authentication.k8s.io/v1 --exec-interactive-mode=Never --exec-command=kubectl --exec-arg=oidc-login --exec-arg=get-token --exec-arg="--oidc-issuer-url=https://my.idp.com/oidc/" --exec-arg="--oidc-client-id=myclientid123" --exec-arg="--oidc-client-secret=myclientsecret123" --exec-arg="--oidc-extra-scope=email"

Command above returns User "oidc" set.. Content of ~/.kube/config:

users:
- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://my.idp.com/oidc/
      - --oidc-client-id=myclientid123
      - --oidc-client-secret=myclientsecret123
      - --oidc-extra-scope=email
      command: kubectl
      env: null
      interactiveMode: Never
      provideClusterInfo: false

Step 6.: Verify with kubectl --user=oidc get nodes - this will open a login screen in my browser to the IdP. I can see that the claims I've requested have been returned, among them being the email. I log in, the page in browser shows You have logged in to the cluster. You can close this window., but the command returns Error from server (Forbidden): {"Code":{"Code":"Forbidden","Status":403},"Message":"clusters.management.cattle.io \"c-m-w7fq4hm2\" is forbidden: User \"system:unauthenticated\" cannot get resource \"clusters\" in API group \"management.cattle.io\" at the cluster scope","Cause":null,"FieldName":""} (get nodes).

Output of kubectl describe clusterrolebinding oidc-cluster-admin from step 3.

Name:         oidc-cluster-admin
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-owner
Subjects:
  Kind  Name                      Namespace
  ----  ----                      ---------
  User  oidc:me@example.com

Your environment

• OS: Ubuntu 24.04.2 LTS
• kubelogin version: v1.34.0
• kubectl version: v1.33.1
• OpenID Connect provider: Generic OIDC

[tonyfairbanks]

If you're connecting to the cluster via the Rancher proxy - meaning you have something like this in your kubeconfig:

apiVersion: v1
clusters:
- cluster:
    server: https://rancher.example.com/k8s/clusters/c-m-asdfasdf
  name: mycluster

it won't work, because Rancher has no idea about the OIDC auth you're using. You'll have to connect to the cluster directly.