遵循此处的说明: https://cloud.google.com/kubernetes-engine/docs/how-to/oidc#gcloud-config
我按照这里的说明并使用以下命令登录
kubectl oidc login --cluster=CLUSTER_NAME --login-config=login-config.yaml
找到问题的解决方案:要解决此问题,请在集群配置文件中的authentication.oidc.extraParams字段中添加prompt=consent。然后重新生成客户端认证文件。参考:https://cloud.google.com/anthos/clusters/docs/on-prem/latest/troubleshoot-identity-authorization
仍然遇到相同的错误,从我的登录配置共享authentication.oidc字段的内容
authentication:
- name: oidc
oidc:
clientID: xxxxxxxxxxxxx
clientsecret: yyyyyyyyyyy
extraParams: resource=token-groups-claim, prompt=consent
issuerURI: IDP URL
cloudConsoleRedirectURI: https://console.cloud.google.com/kubernetes/oidc
kubectlRedirectURI: http://localhost:3000
scopes: openid, email
userClaim: email
groupsClaim: groups
有人遇到同样的问题吗?
我注意到它需要刷新令牌,因此需要相关的范围。参考链接:https://cloud.google.com/anthos/identity/setup/fleet-cluster#okta
我不知道为什么这是强制性的。
authentication:
- name: idp
oidc:
ClientID: *****5d7
clientSecret: ******iu
cloudConsoleRedirectURI: https://console.cloud.google.com/kubernetes/oidc
groupsClaim: groups
extraParams: prompt=consent, access_type=offline
issuerURI: https://idp-idp.com
kubectlRedirectURI: http://127.0.0.1:10000
scopes: openid,profile,groups,email,offline_access
userClaim: sub