无法访问 Kubernetes 中的 Keycloak 帐户控制台 (403)
当部署在 Kubernetes 中时,我发现 Keycloak 有一个奇怪的行为,我无法理解。
使用案例:
- 以 admin:admin 身份登录(默认创建)
- ,单击管理帐户
我比较了(相同)映像 (quay.io/keycloak/keycloak:17.0.0) 在 Docker 或 Kubernetes (K3S) 中运行时的行为。
如果我从 Docker 运行它,则会加载帐户控制台。换句话说,我的请求
GET /realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=account- 获得成功 (204)控制台
从部署在 Kubernetes 中的同一映像中,相同的请求失败并出现错误 403。但是,在同一个应用程序上,我的请求
GET /realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id 获得成功 (204) =security-admin-console
由于我可以调用 security-admin-console,因此这看起来不像 Kubernetes Ingress 网关的问题,也不像与路由相关的任何问题。
然后我考虑了 Keycloak 访问控制配置问题,但在这两种情况下我都使用默认图像而不进行任何更改。我反复检查以确保管理员用户和帐户控制台客户端在 docker 和 k8s 应用程序中的配置方式完全相同。
我不知道可能是什么问题,你有什么建议吗?
I have found a strange behavior in Keycloak when deployed in Kubernetes, that I can't wrap my head around.
Use-case:
- login as admin:admin (created by default)
- click on Manage account
(manage account dialog screenshot)
I have compared how the (same) image (quay.io/keycloak/keycloak:17.0.0) behaves if it runs on Docker or in Kubernetes (K3S).
If I run it from Docker, the account console loads. In other terms, I get a success (204) for the request
GET /realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=account-console
From the same image deployed in Kubernetes, the same request fails with error 403. However, on this same application, I get a success (204) for the request
GET /realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=security-admin-console
Since I can call security-admin-console, this does not look like an issue with the Kubernetes Ingress gateway nor with anything related to routing.
I've then thought about a Keycloak access-control configuration issue, but in both cases I use the default image without any change. I cross-checked to be sure, it appears that the admin user and the account-console client are configured exactly in the same way in both the docker and k8s applications.
I have no more idea about what could be the problem, do you have any suggestion?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
尝试将 Keycloak 数据库中 realm 表中的
ssl_required = NONE设置为您的领域(主)Try to set
ssl_required = NONEin realm table in Keycloak database to your realm (master)我可以使用以下环境变量解决问题,我的 Keycloak 版本是 23.0.4:
I am able to resolve the issue with the following environment variables my Keycloak version is 23.0.4:
所以我们发现是
nginx入口控制器导致了很多问题。虽然我们能够通过 X-Forwarded-Proto 等使其与 nginx 一起工作,但它有点复杂和令人费解。改用haproxy反而解决了这个问题。另外,请确保您通过https与入口控制器进行交互,否则可能会导致 keycloak 出现问题。So we found that it was the
nginxingress controller causing a lot of issues. While we were able to get it working withnginx, viaX-Forwarded-Protoetc., but it was a bit complicated and convoluted. Moving tohaproxyinstead resolved this problem. As well, make sure you are interfacing with the ingress controller overhttpsor that may cause issues with keycloak.我遇到了类似的问题,并使用 Nginx 作为 HTTPS 代理。
管理 Web 控制台因 403 加载而卡住:
/realms/master/protocol/openid-connect/login-status-iframe.html/init我通过添加这些用于 KeyCloak 位置配置的 Nginx 行来修复它。
I had similar issue and was using Nginx as proxy for HTTPS.
The admin web console got stuck with 403 loading:
/realms/master/protocol/openid-connect/login-status-iframe.html/initI fixed it by adding these Nginx lines for KeyCloak location configuration.
我遇到了同样的问题,并通过将正确的来源添加到 keycloak UI 中的帐户控制台客户端来解决它。
客户->帐户控制台 ->网络起源
I had the same issue, and solved it by adding the correct origin to the account-console client in the keycloak UI.
Clients -> account-console -> Web origins