keep getting this when trying to go to the web of a httpd pod, what permissions am i missing.
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "pods \"pod-httpd\" is forbidden: User \"system:anonymous\" cannot get resource \"pods\" in API group \"\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"name": "pod-httpd",
"kind": "pods"
},
"code": 403
}
The error is clear User "system:anonymous" means k8s recognising you as anonymous user and that is why it is giving forbidden reason for accessing the desired resources.
So, when you do curl https://<ip>:<port>/<endpoint> you are using TLS for the communication. In this type of communication you need to provide your CA (certificate authority, who signed your certificate) certificate, and your certificate and key to the curl like below, because in TLS server-client need to be verified.
curl https://<ip>:<port>/<endpoint> --key <your_key> --cert <your_cert> --cacert <ca_cert>
N.B: here you means the client
Related
I am trying to terminate the namespace argo in Kubernetes. In the past, I have succesfully followed the directions found here Kubernetes Namespaces stuck in Terminating status
this time, however, I am getting the following error message. What does it mean and how can I work around this?
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "namespaces \"argo\" is forbidden: User \"system:anonymous\" cannot update resource \"namespaces/finalize\" in API group \"\" in the namespace \"argo\"",
"reason": "Forbidden",
"details": {
"name": "argo",
"kind": "namespaces"
},
"code": 403
}
You need to use an authenticated user that has permissions for the subresource (or more often, for *).
I want to secure .net core api with wso2 api manager ,for that i have enabled swagger on the api and able to get post response . I have created Api with swagger defination
http://localhost:5000/swagger/v1/swagger.json
and given endpoint http://localhost:5000/api/BigData which will get response in swagger ui
now i am trying to test with api working with token for that wso2api showing error
curl request from wso2-am
curl reuqest semding from wso2-am ```curl -X 'POST' \
'http://localhost:8280/api/v1/api/BigData' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-H 'Internal-Key: eyJraWQiOiJnYXRld2F5X2NlcnRpZmljYXRlX2FsaWFzIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJrZXl0eXBlIjoiUFJPRFVDVElPTiIsInN1YnNjcmliZWRBUElzIjpbeyJzdWJzY3JpYmVyVGVuYW50RG9tYWluIjpudWxsLCJuYW1lIjoiQmlnRGF0YUFQSSIsImNvbnRleHQiOiJcL2FwaVwvdjEiLCJwdWJsaXNoZXIiOiJhZG1pbiIsInZlcnNpb24iOiJ2MSIsInN1YnNjcmlwdGlvblRpZXIiOm51bGx9XSwiZXhwIjoxNjI0OTIyMzg3LCJ0b2tlbl90eXBlIjoiSW50ZXJuYWxLZXkiLCJpYXQiOjE2MjQ4NjIzODcsImp0aSI6ImZiYjQ2OGQ0LWUyOTItNGEyZC1hZmEzLTdhNzFlODUxNTlhNCJ9.Xkz9jigCPs3I65kI40rigE6L8mA-w4kks3n7Cabahg1dMVEo8AVs64PXuKBshucuT_vk5ms-7wFiIiI0pdXrL1ymOlEacBtW2r1F-WvV7o9SVw6lpF4EQNsIFi96Exe5Gg0k2wSaG1iErJ2P8boOQGI66fudGfjC-Gt1RJxfE-ZwQ_aS7fNur4G7HFAbBOdSq3yNDWjsMiv9k4IBlQ-IkJj88zSM6eXnHbtiAJKB84bAkFX7PDxXzjdItGkTKBx2oW11SO27xvqlrlJCHh6dcvEKb1_XZIjyrrvQjTGTX0cTgUlL0HQFOL9RwavrDwXh_fsP51zhGbbLozuUbhUKWg' \
-d '{
"messageID": "string",
"tenantName": "string",
"tenantID": "string",
"entityID": "string",
"entityType": "string",
"dataType": "string",
"messageKind": "string",
"routing": "string",
"payload": "string",
"type": "string",
"clientID": "string",
"userID": "string",
"isAdmin": true,
"fabric": "string",
"capabilityId": "string",
"sourceSystem": "string",
"applicationName": "string"
}'```
when i check the endpoint again its showing method not allowed
As with the shared information, I believe that you have configured an API resource as /api/BigData. If that is the case, update the Production and Sandbox endpoints as http://localhost:5000 and not with the complete URL of the actual endpoint to overcome the 404 errors.
The API Manager uses and appends the API Resources that are defined at the end of the Production/Sandbox endpoints. So, when you are configuring an API and exposing that, you have to be sure of choosing the correct endpoints.
For example:
If you have an actual Backend server with the following endpoint https://backendserver/api/v1/get and https://backendserver/api/v1/post then you have to configure an API in the API Manager as following
Create an API with the following two resources
/get
/post
Configure the Production / Sandbox endpoints as https://backendserver/api/v1
Then, if you invoke the API with the API Manager endpoint (https://apimanager:8243/your-api/v1/get), the /get resource will get appended to the configured endpoint and the request will be served as https://backendserver/api/v1/get.
Hope this explains and gives you a brief understanding of the URL mappings in API Manager.
I was trying to run curl -v -L --cacert cert.crt --key cert.key -k --request GET "https://*my-k8s-server-ip:port*/api/v1/namespaces/testing/services", it is showing me the following error:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services is forbidden: User \"system:anonymous\" cannot list resource \"services\" in API group \"\" in the namespace \"testing\"",
"reason": "Forbidden",
"details": {
"kind": "services"
},
"code": 403
}* Connection #0 to host *my-k8s-server-ip* left intact
but when I tried with Postman providing the cert and key, it works perfectly fine.
Please help.
Kubernetes API Server could not recognize the user in this case which makes it default to system:anonymous user.
You need to provide a client certificate using --cert parameter which should have the user in CNAME(subject: CN)
curl -v -L --cacert cert.crt --key cert.key --cert client.crt -k --request GET "https://*my-k8s-server-ip:port*/api/v1/namespaces/testing/services"
As an alternative you can use the token from a service account as BEARER token as documented here
I can list all the custom.metrics available, but I don't know how to query an individual value. For example I have tried:
curl http://localhost:8001/apis/custom.metrics.k8s.io/v1beta1/ | jq .
{
"kind": "APIResourceList",
"apiVersion": "v1",
"groupVersion": "custom.metrics.k8s.io/v1beta1",
"resources": [
{
"name": "deployments.apps/aws_sqs_approximate_number_of_messages_visible_average",
"singularName": "",
"namespaced": false,
"kind": "MetricValueList",
"verbs": [
"get"
]
}
]
}
But if I try this:
curl http://localhost:8001/apis/custom.metrics.k8s.io/v1beta1/deployments.apps/aws_sqs_approximate_number_of_messages_visible_average | jq .
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "the server could not find the requested resource",
"reason": "NotFound",
"details": {
},
"code": 404
}
I get a 404. I've seen this issue which shows how to get a namespaced metric, but mine does not have a namespace? Is there a definition for how to use this API?
Just like Resource Metrics, Custom Metrics are bound to Kubernetes objects too.
What you're missing in your URL is the resource you want the metric to relate to.
For example the Pod the custom metric is related to, but the same is true for Deployments.
Try to adjust this url to your needs:
kubectl get --raw \
'/apis/custom.metrics.k8s.io/v1beta1/namespaces/default/pod/podinfo-67c9fd95d-fqk4g/http_requests_per_second' \
| jq .
Here are the slides for the talk we gave at FOSDEM 2019 on the Prometheus Adapter: https://speakerdeck.com/metalmatze/kubernetes-metrics-api?slide=26
I'll update this answer, once the video is available too.
Since I'm using DirectXMan12/k8s-prometheus-adapter there are a few things to know:
I think it can only work with namespaced metrics.
If a query does not return a metric for a particular time period in prometheus k8s-prometheus-adapter will report it as non-existent.
This is my actual problem.
Using the custom metrics API is very simple:
kubectl proxy to open a proxy to your kubernetes API
curl http://localhost:8001/apis/custom.metrics.k8s.io/v1beta1/ to list all custom metrics available.
For example you may see:
{
"name": "deployments.extensions/kube_deployment_status_replicas_available",
"singularName": "",
"namespaced": true,
"kind": "MetricValueList",
"verbs": [
"get"
]
}
We know it is namespaced from namespaced: true and beneath the namespace we can select via deployment from the name field.
So we would build our query like so:
curl http://localhost:8001/apis/custom.metrics.k8s.io/v1beta1/namespace/$NAMESPACE/deployments.extensions/$DEPLOYMENT/kube_deployment_status_replicas_available
At least I think that's how it should work, although if you do the same query without deployments.extensions section it will show the value for the namespace:
curl http://localhost:8001/apis/custom.metrics.k8s.io/v1beta1/namespace/$NAMESPACE/kube_deployment_status_replicas_available
Perhaps this is due to how the query executes in prometheus.
I'm trying to setup via script a kubernetes cluster on GCE, which always worked for the past, but I created a new project on GCE and I suddenly get all these permissions errors:
Example:
Error from server (Forbidden): serviceaccounts is forbidden: User "client" cannot list serviceaccounts in the namespace "default": Unknown user "client"
Also when I kubectl proxy and open http://localhost:8001/ I get:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"client\" cannot get path \"/\": Unknown user \"client\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}
Could somebody hint me please into the right direction? Thx!
Duplicate of what does Unknown user "client" mean?:
Found out there is some issue with gcloud config. This command solved it:
gcloud config unset container/use_client_certificate