I am trying to terminate the namespace argo in Kubernetes. In the past, I have succesfully followed the directions found here Kubernetes Namespaces stuck in Terminating status
this time, however, I am getting the following error message. What does it mean and how can I work around this?
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "namespaces \"argo\" is forbidden: User \"system:anonymous\" cannot update resource \"namespaces/finalize\" in API group \"\" in the namespace \"argo\"",
"reason": "Forbidden",
"details": {
"name": "argo",
"kind": "namespaces"
},
"code": 403
}
You need to use an authenticated user that has permissions for the subresource (or more often, for *).
Related
I am having problems with firebase, i just recently started learning it. Im trying to setup my rules for firebase storage but it wont stop loading and i get error message 403 from the console. Full error message in JSON is:
{
"error": {
"code": 403,
"message": "Requests from referer \u003cempty\u003e are blocked.",
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "API_KEY_HTTP_REFERRER_BLOCKED",
"domain": "googleapis.com",
"metadata": {
"service": "firebaserules.googleapis.com",
"consumer": "projects/300182265570"
}
}
]
}
}`
I've tried to google for answers but I'm not any wiser on what to do.
Sidenote, i also get some error message when i try to upload files to my storage from my app about "Bucket not being properply set up".
But I can't even access the rules on firebase.console for storage.
Cheers!
keep getting this when trying to go to the web of a httpd pod, what permissions am i missing.
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "pods \"pod-httpd\" is forbidden: User \"system:anonymous\" cannot get resource \"pods\" in API group \"\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"name": "pod-httpd",
"kind": "pods"
},
"code": 403
}
The error is clear User "system:anonymous" means k8s recognising you as anonymous user and that is why it is giving forbidden reason for accessing the desired resources.
So, when you do curl https://<ip>:<port>/<endpoint> you are using TLS for the communication. In this type of communication you need to provide your CA (certificate authority, who signed your certificate) certificate, and your certificate and key to the curl like below, because in TLS server-client need to be verified.
curl https://<ip>:<port>/<endpoint> --key <your_key> --cert <your_cert> --cacert <ca_cert>
N.B: here you means the client
I was trying to run curl -v -L --cacert cert.crt --key cert.key -k --request GET "https://*my-k8s-server-ip:port*/api/v1/namespaces/testing/services", it is showing me the following error:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services is forbidden: User \"system:anonymous\" cannot list resource \"services\" in API group \"\" in the namespace \"testing\"",
"reason": "Forbidden",
"details": {
"kind": "services"
},
"code": 403
}* Connection #0 to host *my-k8s-server-ip* left intact
but when I tried with Postman providing the cert and key, it works perfectly fine.
Please help.
Kubernetes API Server could not recognize the user in this case which makes it default to system:anonymous user.
You need to provide a client certificate using --cert parameter which should have the user in CNAME(subject: CN)
curl -v -L --cacert cert.crt --key cert.key --cert client.crt -k --request GET "https://*my-k8s-server-ip:port*/api/v1/namespaces/testing/services"
As an alternative you can use the token from a service account as BEARER token as documented here
I can list all the custom.metrics available, but I don't know how to query an individual value. For example I have tried:
curl http://localhost:8001/apis/custom.metrics.k8s.io/v1beta1/ | jq .
{
"kind": "APIResourceList",
"apiVersion": "v1",
"groupVersion": "custom.metrics.k8s.io/v1beta1",
"resources": [
{
"name": "deployments.apps/aws_sqs_approximate_number_of_messages_visible_average",
"singularName": "",
"namespaced": false,
"kind": "MetricValueList",
"verbs": [
"get"
]
}
]
}
But if I try this:
curl http://localhost:8001/apis/custom.metrics.k8s.io/v1beta1/deployments.apps/aws_sqs_approximate_number_of_messages_visible_average | jq .
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "the server could not find the requested resource",
"reason": "NotFound",
"details": {
},
"code": 404
}
I get a 404. I've seen this issue which shows how to get a namespaced metric, but mine does not have a namespace? Is there a definition for how to use this API?
Just like Resource Metrics, Custom Metrics are bound to Kubernetes objects too.
What you're missing in your URL is the resource you want the metric to relate to.
For example the Pod the custom metric is related to, but the same is true for Deployments.
Try to adjust this url to your needs:
kubectl get --raw \
'/apis/custom.metrics.k8s.io/v1beta1/namespaces/default/pod/podinfo-67c9fd95d-fqk4g/http_requests_per_second' \
| jq .
Here are the slides for the talk we gave at FOSDEM 2019 on the Prometheus Adapter: https://speakerdeck.com/metalmatze/kubernetes-metrics-api?slide=26
I'll update this answer, once the video is available too.
Since I'm using DirectXMan12/k8s-prometheus-adapter there are a few things to know:
I think it can only work with namespaced metrics.
If a query does not return a metric for a particular time period in prometheus k8s-prometheus-adapter will report it as non-existent.
This is my actual problem.
Using the custom metrics API is very simple:
kubectl proxy to open a proxy to your kubernetes API
curl http://localhost:8001/apis/custom.metrics.k8s.io/v1beta1/ to list all custom metrics available.
For example you may see:
{
"name": "deployments.extensions/kube_deployment_status_replicas_available",
"singularName": "",
"namespaced": true,
"kind": "MetricValueList",
"verbs": [
"get"
]
}
We know it is namespaced from namespaced: true and beneath the namespace we can select via deployment from the name field.
So we would build our query like so:
curl http://localhost:8001/apis/custom.metrics.k8s.io/v1beta1/namespace/$NAMESPACE/deployments.extensions/$DEPLOYMENT/kube_deployment_status_replicas_available
At least I think that's how it should work, although if you do the same query without deployments.extensions section it will show the value for the namespace:
curl http://localhost:8001/apis/custom.metrics.k8s.io/v1beta1/namespace/$NAMESPACE/kube_deployment_status_replicas_available
Perhaps this is due to how the query executes in prometheus.
I'm trying to setup via script a kubernetes cluster on GCE, which always worked for the past, but I created a new project on GCE and I suddenly get all these permissions errors:
Example:
Error from server (Forbidden): serviceaccounts is forbidden: User "client" cannot list serviceaccounts in the namespace "default": Unknown user "client"
Also when I kubectl proxy and open http://localhost:8001/ I get:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"client\" cannot get path \"/\": Unknown user \"client\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}
Could somebody hint me please into the right direction? Thx!
Duplicate of what does Unknown user "client" mean?:
Found out there is some issue with gcloud config. This command solved it:
gcloud config unset container/use_client_certificate