Menu
I just setup a kubenetes cluster base on this link https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#multi-platform I check with kubectl get nodes, then the master node is Ready, but when I access to the link https://k8s-master-ip:6443/ it show the error: User "system:anonymous" cannot get path "/". What is the trick I am missing ?
545
To use kubectl proxy, specify the desired port and hostname or IP address: kubectl proxy --port=8080 --address=192.168.0.1. This will start a proxy server on port 8080 that will forward requests to the Kubernetes API server at 192.168. 0.1.
To obtain the token, you need to create a service account (ServiceAccount) and associate it with the cluster role. Each created service account will have a token stored in the Kubernetes Secret API. The updated kubeconfig will be located in the $HOME/. kube/config home directory.
Accessing for the first time with kubectl When accessing the Kubernetes API for the first time, use the Kubernetes command-line tool, kubectl . To access a cluster, you need to know the location of the cluster and have credentials to access it.
Hope you see something like this:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}
This is good as not everyone should be able to access the cluster, if you want to see the services run "kubectl proxy", this should enable access to the services from the outside world.
C:\dev1> kubectl proxy
Starting to serve on 127.0.0.1:8001
And when you hit 127.0.0.1:8001 you should see the list of services.
114
The latest kubernetes deployment tools enable RBAC on the cluster. Jenkins is relegated to the catch-all user system:anonymous when it accesses https://192.168.70.94:6443/api/v1/.... This user has almost no privileges on kube-apiserver.
The bottom-line is, Jenkins needs to authenticate with kube-apiserver - either with a bearer token or a client cert that's signed by the k8s cluster's CA key.
Method 1. This is preferred if Jenkins is hosted in the k8s cluster:
https://192.168.70.94:6443/api/v1/...
Method 2. If Jenkins is hosted outside the k8s cluster, the steps above can still be used. The alternative is to:
https://192.168.70.94:6443/api/v1/...
Both methods work in any situation. I believe Method 1 will be simpler for you because you don't have to mess around with the CA key.
39
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
