Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to authorize che to create a workspace on amazon EKS #22358

Closed
ghost opened this issue Jul 12, 2023 · 5 comments
Closed

How to authorize che to create a workspace on amazon EKS #22358

ghost opened this issue Jul 12, 2023 · 5 comments
Labels
area/install Issues related to installation, including offline/air gap and initial setup kind/question Questions that haven't been identified as being feature requests or bugs.

Comments

@ghost
Copy link

ghost commented Jul 12, 2023

Summary

Previously I was running che in kind for development/testing. I had set the oidc-issuer-url to my application server both in che's configuration and in the kind configuration, and it was working.

For production I try to deploy che to an amazon EKS cluster, with the same oidc-issuer-url, but when making the API request to the dashboard to create a workspace, it returns 403 Forbidden. The logs in the dashboard say devworkspaces.workspace.devfile.io is forbidden: User "<oidc-issuer-url>#e5fb4c6c-1c31-4326-9f09-afcf41e1cda3" cannot create resource "devworkspaces" in API group "workspace.devfile.io" in the namespace "user-che".

I suspect this is more of an AWS issue than a Che issue, but I thought this would be a good place to ask if anyone else has run into the same situation and figured it out.

Relevant information

I tried to follow this guide to bind che's service accounts to an IAM role with all permissions over everything, but still got this 403. I also tried using RBAC, creating a clusterrole with all permissions over everything and a clsuterrolebinding that binds it to al service accounts in the eclipse-che or devworkspace-controller namespaces (since I'm not sure which one actually needs it), but still 403.

This is the clusterrole I used:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: che-permissions
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

And this is the clusterrolebinding I used:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: che-permissions-binding
subjects:
- kind: ServiceAccount
  name: che-dashboard
  namespace: eclipse-che
- kind: ServiceAccount
  name: che
  namespace: eclipse-che
- kind: ServiceAccount
  name: che-gateway
  namespace: eclipse-che
- kind: ServiceAccount
  name: che-service-account
  namespace: eclipse-che
- kind: ServiceAccount
  name: che-operator
  namespace: eclipse-che
- kind: ServiceAccount
  name: default
  namespace: eclipse-che
- kind: ServiceAccount
  name: devworkspace-controller-service-account
  namespace: devworkspace-controller
- kind: ServiceAccount
  name: devworkspace-controller-webhook-server
  namespace: devworkspace-controller
- kind: ServiceAccount
  name: default
  namespace: devworkspace-controller
roleRef:
  kind: ClusterRole
  name: che-permissions
  apiGroup: rbac.authorization.k8s.io
@ghost ghost added the kind/question Questions that haven't been identified as being feature requests or bugs. label Jul 12, 2023
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Jul 12, 2023
@ibuziuk
Copy link
Member

ibuziuk commented Jul 12, 2023

This blog post should be useful - https://che.eclipseprojects.io/2022/07/25/@karatkep-installing-eclipse-che-on-aks.html
cc: @karatkep

@ibuziuk ibuziuk added area/install Issues related to installation, including offline/air gap and initial setup status/analyzing An issue has been proposed and it is currently being analyzed for effort and implementation approach and removed status/analyzing An issue has been proposed and it is currently being analyzed for effort and implementation approach status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Jul 12, 2023
@tolusha
Copy link
Contributor

tolusha commented Jul 12, 2023
edited
Loading

As far as I understood, you were able to log in, but you aren't able to create a workspace.
Try to inspect user's permissions then kubectl describe rolebindings -n <USER_NAMESPACE>

@ghost
Copy link
Author

ghost commented Jul 14, 2023

For anyone else, we eventually solved this issue. Adding permissions to Che like I was doing didn't help because Che doesn't use its own permissions to create the workspace, it uses the user's permissions. Our problem was that the cluster and Che did not agree on which JWT claim to use to identify users. What we did was in the amazon EKS clsuter settings -> Authentication -> associate identity provider, set the "username claim" to email. Then in the Che configuration, we set the undocumented property CHE_OIDC_USERNAME__CLAIM like this:

spec:
  components:
    cheServer:
      extraProperties:
        CHE_OIDC_USERNAME__CLAIM: email

@tolusha
Copy link
Contributor

tolusha commented Jul 14, 2023

Thank you for sharing the information!!!

@tolusha tolusha mentioned this issue Jul 26, 2023
Open
6 tasks
@tolusha tolusha removed the status/analyzing An issue has been proposed and it is currently being analyzed for effort and implementation approach label Aug 10, 2023
@tolusha tolusha closed this as completed Aug 10, 2023
@venkatesh0822
Copy link

venkatesh0822 commented Oct 19, 2023
edited
Loading

For anyone else, we eventually solved this issue. Adding permissions to Che like I was doing didn't help because Che doesn't use its own permissions to create the workspace, it uses the user's permissions. Our problem was that the cluster and Che did not agree on which JWT claim to use to identify users. What we did was in the amazon EKS clsuter settings -> Authentication -> associate identity provider, set the "username claim" to email. Then in the Che configuration, we set the undocumented property CHE_OIDC_USERNAME__CLAIM like this:

spec:
  components:
    cheServer:
      extraProperties:
        CHE_OIDC_USERNAME__CLAIM: email

I have set "username claim" to email in AWS and 'CHE_OIDC_USERNAME__CLAIM' in cr-path.yaml file and deployed che with command 'chectl server:deploy --platform k8s --che-operator-cr-patch-yaml cr-patch.yaml --domain --skip-oidc-provider-check'. But still getting same 403 errror.
Can I know in which che configuration file we need to set 'CHE_OIDC_USERNAME__CLAIM'

@l0rd l0rd mentioned this issue Dec 6, 2023
Closed
@tolusha tolusha mentioned this issue Aug 27, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/install Issues related to installation, including offline/air gap and initial setup kind/question Questions that haven't been identified as being feature requests or bugs.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ibuziuk @tolusha @che-bot @venkatesh0822