kubectl commands fails in pinniped integrated clusters with error "Unable to connect to the server: An existing connection was forcibly closed by the remote host"
book
Article ID: 373268
calendar_today
Updated On:
Products
VMware Tanzu Kubernetes Grid
Issue/Introduction
Requests using the pinniped workflow to fetch kubernetes objects were failing with below error in pinniped pod logs
The TokenCredentialRequest was failing to complete in 60s because the size of sessions.yaml and credentials.yaml was more due to large number of groups returned by Pinniped.
File size should be less then 10KB ideally.
An mTLS client cert can have approximately 60k total characters (roughly, not the exact limit). This is because golang TLS handshakes are limited to size 65,536. So if you look at the ID token in sessions.yaml and add up the total number of characters and if total is more than 60k then it will fail.
If search filter is configured to "filter: (objectClass=group)" means every user should be treated as if they belong to every single LDAP group in the whole LDAP database. This can increase the size of sessions.yaml file.
Resolution
To decrease the number of groups returned by the LDAP server, group filter parameter can be set to &(sAMAccountName={})(objectclass=group) to filter out groups where only particular user was a member of.