-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to authorize che to create a workspace on amazon EKS #22358
Comments
This blog post should be useful - https://che.eclipseprojects.io/2022/07/25/@karatkep-installing-eclipse-che-on-aks.html |
As far as I understood, you were able to log in, but you aren't able to create a workspace. |
For anyone else, we eventually solved this issue. Adding permissions to Che like I was doing didn't help because Che doesn't use its own permissions to create the workspace, it uses the user's permissions. Our problem was that the cluster and Che did not agree on which JWT claim to use to identify users. What we did was in the amazon EKS clsuter settings -> Authentication -> associate identity provider, set the "username claim" to
|
Thank you for sharing the information!!! |
|
Summary
Previously I was running che in
kind
for development/testing. I had set the oidc-issuer-url to my application server both in che's configuration and in the kind configuration, and it was working.For production I try to deploy che to an amazon EKS cluster, with the same oidc-issuer-url, but when making the API request to the dashboard to create a workspace, it returns
403 Forbidden
. The logs in the dashboard saydevworkspaces.workspace.devfile.io is forbidden: User "<oidc-issuer-url>#e5fb4c6c-1c31-4326-9f09-afcf41e1cda3" cannot create resource "devworkspaces" in API group "workspace.devfile.io" in the namespace "user-che"
.I suspect this is more of an AWS issue than a Che issue, but I thought this would be a good place to ask if anyone else has run into the same situation and figured it out.
Relevant information
I tried to follow this guide to bind che's service accounts to an IAM role with all permissions over everything, but still got this 403. I also tried using RBAC, creating a
clusterrole
with all permissions over everything and aclsuterrolebinding
that binds it to al service accounts in theeclipse-che
ordevworkspace-controller
namespaces (since I'm not sure which one actually needs it), but still 403.This is the
clusterrole
I used:And this is the
clusterrolebinding
I used:The text was updated successfully, but these errors were encountered: