Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

User "system:anonymous" cannot get path "/"

Tags:

kubernetes

kubectl

kubeadm

I just setup a kubenetes cluster base on this link https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#multi-platform I check with kubectl get nodes, then the master node is Ready, but when I access to the link https://k8s-master-ip:6443/ it show the error: User "system:anonymous" cannot get path "/". What is the trick I am missing ?

like image 545
Tien Dung Tran Avatar asked Jul 14 '17 04:07

Tien Dung Tran

People also ask

What is Kubectl proxy command?

To use kubectl proxy, specify the desired port and hostname or IP address: kubectl proxy --port=8080 --address=192.168.0.1. This will start a proxy server on port 8080 that will forward requests to the Kubernetes API server at 192.168. 0.1.

How do I get Kubernetes bearer token?

To obtain the token, you need to create a service account (ServiceAccount) and associate it with the cluster role. Each created service account will have a token stored in the Kubernetes Secret API. The updated kubeconfig will be located in the $HOME/. kube/config home directory.

How do I access my Kubernetes API server?

Accessing for the first time with kubectl When accessing the Kubernetes API for the first time, use the Kubernetes command-line tool, kubectl . To access a cluster, you need to know the location of the cluster and have credentials to access it.

2 Answers

Hope you see something like this:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
}

This is good as not everyone should be able to access the cluster, if you want to see the services run "kubectl proxy", this should enable access to the services from the outside world.

C:\dev1> kubectl proxy
Starting to serve on 127.0.0.1:8001

And when you hit 127.0.0.1:8001 you should see the list of services.

like image 114
Nakul Gawande Avatar answered Sep 18 '22 23:09

Nakul Gawande

The latest kubernetes deployment tools enable RBAC on the cluster. Jenkins is relegated to the catch-all user system:anonymous when it accesses https://192.168.70.94:6443/api/v1/.... This user has almost no privileges on kube-apiserver.

The bottom-line is, Jenkins needs to authenticate with kube-apiserver - either with a bearer token or a client cert that's signed by the k8s cluster's CA key.

Method 1. This is preferred if Jenkins is hosted in the k8s cluster:

  1. Create a ServiceAccount in k8s for the plugin
  2. Create an RBAC profile (ie. Role/RoleBinding or ClusterRole/ClusterRoleBinding) that's tied to the ServiceAccount
  3. Config the plugin to use the ServiceAccount's token when accessing the URL https://192.168.70.94:6443/api/v1/...

Method 2. If Jenkins is hosted outside the k8s cluster, the steps above can still be used. The alternative is to:

  1. Create a client cert that's tied to the k8s cluster's CA. You have to find where the CA key is kept and use it to generate a client cert.
  2. Create an RBAC profile (ie. Role/RoleBinding or ClusterRole/ClusterRoleBinding) that's tied to the client cert
  3. Config the plugin to use the client cert when accessing the URL https://192.168.70.94:6443/api/v1/...

Both methods work in any situation. I believe Method 1 will be simpler for you because you don't have to mess around with the CA key.

like image 39
Eugene Chow Avatar answered Sep 17 '22 23:09

Eugene Chow
Sign in to Comment

Related questions

Reading streaming http response with Python "requests" library
Pods are not starting. NetworkPlugin cni failed to set up pod
Kubernetes, security context, fsGroup field and default user's group ID running the container
Spark on K8s - getting error: kube mode not support referencing app depenpendcies in local
Connect to local database from inside minikube cluster
Ansible + Kubernetes: how to wait for a Job completion
How do you enable Feature Gates in K8s?
Can I rely on volumeClaimTemplates naming convention?
custom tag on EBS volume provisioned dynamically by Kubernetes
How to use the kubernetes go-client to get the same Pod status info that kubectl gives
Prevent back-off in kubernetes crash loop
Disadvantages of using eureka for Service Discovery with kubernetes
Kubernetes default liveness and readiness probe
Is there a way to not use GKE's standard load balancer?
error: the server doesn't have resource type "svc"
How to get Kubernetes Ingress Port 80 working on baremetal single node cluster
Not authorized to perform sts:AssumeRoleWithWebIdentity- 403
Cannot create cluster role in GKE even though I am owner and admin
How to Submit generic "runtime.Object" to Kubernetes API using client-go
Check Kubernetes Pod Status for Completed State

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!