what does Unknown user "client" mean?

Question

When I run a simple command on my local shell with gcloud sdk.

$ kubectl get pod

I get such error:

Error from server (Forbidden): pods is forbidden: User "client" cannot list pods at the cluster scope: Unknown user "client"

The same command runs fine on GCP cloud shell, and the output of

$ gcloud auth list

is as expected:

Credentialed Accounts
ACTIVE ACCOUNT
* [email protected]

I also tried to create clusterrolebinding, but get similar error.

Answer 1

This happens when you disable Legacy Authorisation in the cluster settings, because the client certificate that you are using is a legacy authentication method. So it looks like what is happening is the client authentication succeeds but the authorisation fails, as expected. ("Unknown user" in the error message, confusingly, seems to mean the user is unknown to the authorisation system, not to the authentication system.)

You can either disable the use of the client certificate with

gcloud config unset container/use_client_certificate

and then regenerate your kubectl config with

gcloud container clusters get-credentials my-cluster

Or you can simply re-enable Legacy Authorisation in the cluster settings in the Google Cloud Console, or using the command:

gcloud container clusters update [CLUSTER_NAME] --enable-legacy-authorization

Answer 2

I understand this issue has now been resolved, but I would like to add some information about why this issue can occur, as it may be useful to anyone who comes across a similar issue.

Kubernetes Engine users can authenticate to the Kubernetes API using Google OAuth2 access tokens, which means that when users create a new cluster, Kubernetes Engine configures kubectl to authenticate the user to the cluster.

It's also possible to authenticate to the cluster using legacy methods which include using the cluster certificate and/or username and passwords. This is defined in the gcloud config.

The configuration of gcloud in, for example the Cloud Shell may be different from an installation of gcloud elsewhere, for example on a home workstation.

The:

Error from server (Forbidden): pods is forbidden: User "client" cannot list pods at the cluster scope: Unknown user "client"

error suggests that gcloud config set container/use_client_certificate is set to True i.e. that gcloud is expecting a client cluster certificate to authenticate to the cluster (this is what the 'client' in the error message refers to).

As @Yanwei has discovered, unsetting container/use_client_certificate by issuing the following command in the glcoud config ends the need for a legacy certificate or credentials and prevents the error message:

gcloud config unset container/use_client_certificate

Issues such as this may be more likely if you are using an older version of gcloud on your home workstation or elsewhere.

There is some information on this here.