ClusterRole does not allow adding header when using `--extra-user-header-client-ip`

Question

ClusterRole does not allow adding header when using `--extra-user-header-client-ip`

justinas-b opened this issue 4 years ago · 0 comments

When using --extra-user-header-client-ip argument kube-oidc-proxy is unable to impersonate resource userextras/remote-client-ip with following error:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "userextras.authentication.k8s.io \"10.251.176.235:50924\" is forbidden: User \"system:serviceaccount:kube-oidc-proxy:kube-oidc-proxy\" cannot impersonate resource \"userextras/remote-client-ip\" in API group \"authentication.k8s.io\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "name": "10.251.176.235:50924",
    "group": "authentication.k8s.io",
    "kind": "userextras"
  },
  "code": 403
}