Service Account failed to be authenticated on the secondly added edge node with requireAuthorization feature gate enabled about kubeedge HOT 14 OPEN

I will try to reproduce it in my own environment and it may take a while. If you have any new progress, please feel free to communicate here.

from kubeedge.

my edgecore logs also Appear logs

May 21 00:15:56 edge1 edgecore[6586]: E0521 00:15:56.484334 6586 authentication.go:73] "Unable to authenticate the request" err="tokenData not found when authenticating"

from kubeedge.

my edgecore logs also Appear logs

May 21 00:15:56 edge1 edgecore[6586]: E0521 00:15:56.484334 6586 authentication.go:73] "Unable to authenticate the request" err="tokenData not found when authenticating"

Does the problem also occur when multiple edge nodes are connected?

from kubeedge.

my edgecore logs also Appear logs
May 21 00:15:56 edge1 edgecore[6586]: E0521 00:15:56.484334 6586 authentication.go:73] "Unable to authenticate the request" err="tokenData not found when authenticating"

Does the problem also occur when multiple edge nodes are connecte

my edgecore logs also Appear logs

May 21 00:15:56 edge1 edgecore[6586]: E0521 00:15:56.484334 6586 authentication.go:73] "Unable to authenticate the request" err="tokenData not found when authenticating"

I have the exact same error. I have only one edge node is connected.

from kubeedge.

after I add the token to the edgecore.yaml according to https://kubeedge.io/docs/setup/config/#create-and-set-edgecore-config-file 6-7,
the token Data not found when authenticating seems to be fixed but
there occurs new error at edge side:

edgecore[10242]: E0626 11:23:24.927904   10242 fieldmanager.go:155] "[SHOULD NOT HAPPEN] failed to update managedFields" err="failed to convert new object (/; authentication.k8s.io/v1, Kind=TokenReview) to smd type
edgecore[10242]: E0626 11:23:24.944409   10242 storage.go:234] [metaserver/reststorage] failed to create obj: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope
edgecore[10242]: E0626 11:23:24.944561   10242 key.go:21] failed to parse key from an obj:object does not implement the Object interfaces
edgecore[10242]: E0626 11:23:24.944618   10242 storage.go:246] [metaserver/reststorage] failed to create ()
edgecore[10242]: E0626 11:23:25.610920   10242 storage.go:234] [metaserver/reststorage] failed to create obj: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope
edgecore[10242]: E0626 11:23:25.611066   10242 key.go:21] failed to parse key from an obj:object does not implement the Object interfaces

and similar at cloud side:

I0626 13:09:40.600988       1 application.go:60] [metaserver/ApplicationCenter] get a Application (NodeName=raspberrypi;Key=/authentication.k8s.io/v1/tokenreviews/null/null;Verb=create;Status=InApplying;Reason=)
E0626 13:09:40.603674       1 application.go:76] [metaserver/applicationCenter]failed to process Application((NodeName=raspberrypi;Key=/authentication.k8s.io/v1/tokenreviews/null/null;Verb=create;Status=Rejected;Reason=)), tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope

from kubeedge.

@Mengxue12 you can ref to https://kubeedge.io/docs/advanced/inclusterconfig#deploy-your-edge-pods

from kubeedge.

I am having a similar issue, but it isn't RBAC related. I have added the token in the edgecore.yaml per the directions, but I keep receving authentication.go:73] "Unable to authenticate the request" err="invalid bearer token".

If I turn off requireAuthorization it will work over http. As soon as I enable this, even when I curl https://127.0.0.1:10550/api/v1 with the token in the header with -H Authorization: Bearer xxx I receive Unauthorized. The same API token will work when I curl the kube api server on the cloud side.

Any ideas?

from kubeedge.

@WillieWookiee Have you ever ref to this guide https://kubeedge.io/docs/advanced/inclusterconfig?

from kubeedge.

@WillieWookiee Have you ever ref to this guide https://kubeedge.io/docs/advanced/inclusterconfig?

Yes, I followed everything word for word. I ended up figuring out my problem. Since my master node was in GKE, the token it generated included a different iss and aud from the JWT that the metaserver was expecting. Once I added the correct ones to the edgecore.yaml config, it worked.

Another issue though is that I was trying to install something that required an Ingress type. Part of this is it lists all the types when it queries the metaserver and it is saying that Ingress is not a type that is supported by metaserver. Is this correct? I thought the metaserver was a proxy to the kube-apiserver.

from kubeedge.

@Shelley-BaoYue Any ideas? I would love to use Kubeedge, but it seems the Metaserver is limited. Unless you can help me address the above issue.

from kubeedge.

@WillieWookiee Ingress type is supported by metaserver. It's recommended that you can submit a new issue and describe the problem in detail.

from kubeedge.

It may support Ingress for a certain type of call, but being that it is not a pass through to the api server, it will be very hard to support the types of calls certain applications might make to the api. I would suggest adopting a model that OpenYurt uses, where it can cache, but outside of that, it passes the call directly to the apiserver and just acts as a proxy.

from kubeedge.

@WillieWookiee The problem you've mentioned does indeed exist, and we've also considered using more native approaches in our subsequent plans. Would you like to submit an issue and share your requirements with the community? If you're able to participate in the community's design and development, that would be even better.

from kubeedge.

Unfortunately, I recheck this issue and the problem still exists in v1.18.0. The secondly added node still has this error: authentication.go:73] "Unable to authenticate the request" err="serviceaccount ns1/sa1 not found"

from kubeedge.