Kubernetes: cannot get path "//.well-known/openid-configuration"
24 May 2021 | #techI’ve been playing with using kubernetes service account JWTs to authenticate Pods. To get the cert for checking the JWT signature, I needed to hit the https://kubernetes.default.svc/.well-known/openid-configuration
endpoint, however as the URL was coming from a config file it ended up being https://kubernetes.default.svc//.well-known/openid-configuration
(mind the double //
). This worked well locally where everything runs under the powerful default service account, but when deployed I got an error saying:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:serviceaccount:my-namespace:my-service-account\" cannot get path \"//.well-known/openid-configuration\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}
The solution was to remove the second /
, and hitting https://kubernetes.default.svc/.well-known/openid-configuration
worked like a charm.
Googleing the error didn’t bring up anything useful, so I’m sharing it here in the hopes of saving others the debugging time.