• EN
Question

Rights problem in the kasten dashboard with token authentication.

  • 19 October 2023
  • 5 comments
  • 93 views
P

Hi,

I am unable to have rights other than limited in the dashboard when I use authentication via token.

I need it for integration with veeam.

So I followed the doc:

Creating a serviceaccount (k10-admin):
kubectl describe serviceaccount k10-admin -n kasten-io
Name: k10-admin
Namespace: kasten-io
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: k10-admin-token
Events: <none>

Creation of the token for my serviceaccount (k10-admin):
kubectl describe secret k10-admin-token -n kasten-io
Name: k10-admin-token
Namespace: kasten-io
Labels: <none>
Annotations: kubernetes.io/service-account.name: k10-admin
               kubernetes.io/service-account.uid: 61725419-f190-4cf5-99b8-6ec29e7afb9d

Type: kubernetes.io/service-account-token

Data
====
ca.crt: 1334 bytes
namespace: 9 bytes
token: xxxxxx

Creating the link between my serviceaccount (k10-admin) and the clusterrole (k10-admin):
kubectl describe clusterrolebinding k10-admin-k10-admin -n kasten-io
Name: k10-admin-k10-admin
Labels: <none>
Annotations: <none>
Role:
   Kind: ClusterRole
   Name: k10-admin
Subjects:
   Kind Name Namespace
   ---- ---- ---------
   ServiceAccount k10-admin kasten-io

 

When I connect to the interface with my token, it opens the interface, but I have practically no rights.

 

5 comments

Geoff Burke
Userlevel 7
Badge +22

Hi Pascal,

I have never seen this myself when installing with helm, i.e. enable token authentication. Normally it automatically creates a k10-k10 sa which has the permissions already present, so no need to link up to the cluserrole etc manually.

When leveraging OIDC I have had to link to my external users but I just followed this part of the doc and there were no issues: https://docs.kasten.io/latest/access/rbac.html?highlight=rbac

 

VMCA2022, VMCE2023, CKA, CKAD, KCNA, LFCS, PCA,TARS
Geoff Burke
Userlevel 7
Badge +22

Here is the default sa that is created:

 

and the clusterrolebinding

 

 

VMCA2022, VMCE2023, CKA, CKAD, KCNA, LFCS, PCA,TARS
Geoff Burke
Userlevel 7
Badge +22

And my very simple values file (this is for an installation on K3S)

 

 

VMCA2022, VMCE2023, CKA, CKAD, KCNA, LFCS, PCA,TARS
P

Thank you, indeed, I just tested with the k10-k10 serviceaccount, it works. I have the rights. But, I still can't connect from veeam. I'll keep looking.

Hagag
Userlevel 5
Badge +2

@pascal.longuepee 
I think you still need to create rolebinding in kasten-io ns,
The k10-ns-admin Role is added for secrets, configmaps access in the K10 release namespace.
 

​​​​​​​kubectl create rolebinding -n kasten-io test-k10-admin --role k10-ns-admin --serviceaccount kasten-io:k10-admin


 

 

Comment


Terms & Conditions