Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubectl gs login should assist user when using --cluster-admin by mistake #1530

Closed
marians opened this issue Oct 18, 2022 · 5 comments · Fixed by giantswarm/kubectl-gs#1101
Closed

kubectl gs login should assist user when using --cluster-admin by mistake #1530

marians opened this issue Oct 18, 2022 · 5 comments · Fixed by giantswarm/kubectl-gs#1101
Assignees
@vvondruska
Labels
team/bigmac Team BigMac ui/kubectl-gs Kubectl plugin for the Giant Swarm control plane K8s API ux/fail-safety About ensuring that our product can be used in a fail-safe way.

Comments

@marians
Copy link
Member

marians commented Oct 18, 2022

What did the user do, what happened?

When using kubectl gs login with the flag --cluster-admin, against a management cluster, the user got this error:

Internal Server Error
Failed to authenticate: github: user "REDACTED" not in required orgs or teams

The user is not a member of the Giant Swarm org.

What should have happened instead?

Ideally the error message should have hinted to the solution.

Additional context

The user is not a member of Giant Swarm.

The user also mentioned:

"I think I tried to login into a workload cluster as admin, and used the --cluster-admin flag. But... I was pointing to the management cluster, that's why it was trying to auth only against github."

If the --cluster-admin flag is in fact to be used by non-Giant-Swarm-users, this is likely to cause confusion.
@marians marians added ui/kubectl-gs Kubectl plugin for the Giant Swarm control plane K8s API ux/fail-safety About ensuring that our product can be used in a fail-safe way. team/rainbow needs/refinement Needs refinement in order to be actionable labels Oct 18, 2022
@weatherhog weatherhog added manuel and removed lucas labels Jul 19, 2023
@weatherhog
Copy link

@gawertm we think this is in bigmac

@gawertm gawertm removed the manuel label Jul 24, 2023
@gawertm
Copy link

gawertm commented Jul 25, 2023

--cluster-admin flag should only be used by Giantswarm staff and if its used wrongly, we should include this information as an additional output. also include the information in the help

@gawertm gawertm removed the needs/refinement Needs refinement in order to be actionable label Jul 25, 2023
@vvondruska vvondruska self-assigned this Aug 8, 2023
@architectbot architectbot added the team/bigmac Team BigMac label Aug 8, 2023
@vvondruska
Copy link

Since this issue was created, we have introduced a separation of customer and Giantswarm connectors in kgs (driven by the --cluster-admin flag), so it is less likely for users to encounter the problem.

Unfortunately, kgs login callback server is not called in case there is an error during the OIDC flow, so we cannot print a message in kgs.
The error message mentioned in this issue is shown by Dex as a web page in the browser after a few redirects. So, at the time of showing the error message Dex is not aware of which type of connector was used in the authentication.
So, the hinted solutoin added to the error message cannot be too specific.

Despite the above, there are a few things that we can do to improve the situation:

  • adjust the description of the --cluster-admin flag in kgs to make it clear that it is intended to be used by GS staff
  • add a generic message to Dex in case the error message mentioned in this issue is shown to notify the users that they may have used an incorrect type of connector (either a customer using a GS connector or GS staff member using a customer connector)

@vvondruska vvondruska mentioned this issue Aug 9, 2023
Merged
1 task
@vvondruska vvondruska linked a pull request Aug 11, 2023 that will close this issue
Improved incorrect connector error message giantswarm/dex-app#292
Closed
1 task
@vvondruska
Copy link

Regarding the generic message in Dex - some identity providers (e.g. Azure AD) do not redirect back to Dex in case the authentication flow fails and they display their own error message instead.

Dex has no way of finding out that the authentication flow failed and neither does kgs. So, a generic message in Dex will only work for a limited subset of connectors/identity providers.

@vvondruska
Copy link

As a quick improvement the description of the --cluster-admin flag will be adjusted to better explain the main purpose of the flag.
In mid-term the flag will be deprecated and replaced by a new flag with better name.

@vvondruska vvondruska linked a pull request Aug 15, 2023 that will close this issue
Cluster admin flag adjustment giantswarm/kubectl-gs#1101
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vvondruska vvondruska

Labels
team/bigmac Team BigMac ui/kubectl-gs Kubectl plugin for the Giant Swarm control plane K8s API ux/fail-safety About ensuring that our product can be used in a fail-safe way.
Projects
None yet
Milestone
No milestone
5 participants
@marians @vvondruska @weatherhog @gawertm @architectbot