Kubernetes API testing with CURL getting system:anonymous issue - kubernetes

I was trying to run curl -v -L --cacert cert.crt --key cert.key -k --request GET "https://*my-k8s-server-ip:port*/api/v1/namespaces/testing/services", it is showing me the following error:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services is forbidden: User \"system:anonymous\" cannot list resource \"services\" in API group \"\" in the namespace \"testing\"",
"reason": "Forbidden",
"details": {
"kind": "services"
},
"code": 403
}* Connection #0 to host *my-k8s-server-ip* left intact
but when I tried with Postman providing the cert and key, it works perfectly fine.
Please help.

Kubernetes API Server could not recognize the user in this case which makes it default to system:anonymous user.
You need to provide a client certificate using --cert parameter which should have the user in CNAME(subject: CN)
curl -v -L --cacert cert.crt --key cert.key --cert client.crt -k --request GET "https://*my-k8s-server-ip:port*/api/v1/namespaces/testing/services"
As an alternative you can use the token from a service account as BEARER token as documented here

Related

GCP - How can I create an HL7v2 store configured with a Pub/Sub topic using curl?

In order to transmit HL7v2 messages over TCP/IP connections using the minimal lower layer protocol (MLLP) I'm following this guide. When I get to the part where I create an HL7v2 store configured with a Pub/Sub topic (here) I get an error.
This is what I typed in my terminal:
curl -X POST \
--data "{
'notificationConfigs': [
{
'pubsubTopic': 'projects/PROJECT_ID/topics/PUBSUB_TOPIC',
'filter': ''
}
]
}" \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
"https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/hl7V2Stores?hl7V2StoreId=HL7V2_STORE_ID"
This is the error I get:
{
"error": {
"code": 403,
"message": "Permission healthcare.hl7V2Stores.create denied on resource projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID (or it may be malformed or not exist)",
"status": "PERMISSION_DENIED"
}
}
The Dataset projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID exists, I double checked it.
So, is this somehow related to my permissions (IAM policy) ? I don't understand because I am Administer HL7v2 Stores.
How can I create my Datastore without getting this error ?
I found out that the command gcloud auth application-default print-access-token was not returning the correct token but gcloud auth print-access-token is.
So with the right auth token, the command works and I get the correct response:
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/hl7V2Stores/HL7V2_STORE_ID",
"notificationConfigs": [
{
"pubsubTopic": "projects/PROJECT_ID/topics/PUBSUB_TOPIC"
}
]
}

wso2api manager 4.0 with Post Request Error: Not Found

I want to secure .net core api with wso2 api manager ,for that i have enabled swagger on the api and able to get post response . I have created Api with swagger defination
http://localhost:5000/swagger/v1/swagger.json
and given endpoint http://localhost:5000/api/BigData which will get response in swagger ui
now i am trying to test with api working with token for that wso2api showing error
curl request from wso2-am
curl reuqest semding from wso2-am ```curl -X 'POST' \
'http://localhost:8280/api/v1/api/BigData' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-H 'Internal-Key: eyJraWQiOiJnYXRld2F5X2NlcnRpZmljYXRlX2FsaWFzIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJrZXl0eXBlIjoiUFJPRFVDVElPTiIsInN1YnNjcmliZWRBUElzIjpbeyJzdWJzY3JpYmVyVGVuYW50RG9tYWluIjpudWxsLCJuYW1lIjoiQmlnRGF0YUFQSSIsImNvbnRleHQiOiJcL2FwaVwvdjEiLCJwdWJsaXNoZXIiOiJhZG1pbiIsInZlcnNpb24iOiJ2MSIsInN1YnNjcmlwdGlvblRpZXIiOm51bGx9XSwiZXhwIjoxNjI0OTIyMzg3LCJ0b2tlbl90eXBlIjoiSW50ZXJuYWxLZXkiLCJpYXQiOjE2MjQ4NjIzODcsImp0aSI6ImZiYjQ2OGQ0LWUyOTItNGEyZC1hZmEzLTdhNzFlODUxNTlhNCJ9.Xkz9jigCPs3I65kI40rigE6L8mA-w4kks3n7Cabahg1dMVEo8AVs64PXuKBshucuT_vk5ms-7wFiIiI0pdXrL1ymOlEacBtW2r1F-WvV7o9SVw6lpF4EQNsIFi96Exe5Gg0k2wSaG1iErJ2P8boOQGI66fudGfjC-Gt1RJxfE-ZwQ_aS7fNur4G7HFAbBOdSq3yNDWjsMiv9k4IBlQ-IkJj88zSM6eXnHbtiAJKB84bAkFX7PDxXzjdItGkTKBx2oW11SO27xvqlrlJCHh6dcvEKb1_XZIjyrrvQjTGTX0cTgUlL0HQFOL9RwavrDwXh_fsP51zhGbbLozuUbhUKWg' \
-d '{
"messageID": "string",
"tenantName": "string",
"tenantID": "string",
"entityID": "string",
"entityType": "string",
"dataType": "string",
"messageKind": "string",
"routing": "string",
"payload": "string",
"type": "string",
"clientID": "string",
"userID": "string",
"isAdmin": true,
"fabric": "string",
"capabilityId": "string",
"sourceSystem": "string",
"applicationName": "string"
}'```
when i check the endpoint again its showing method not allowed
As with the shared information, I believe that you have configured an API resource as /api/BigData. If that is the case, update the Production and Sandbox endpoints as http://localhost:5000 and not with the complete URL of the actual endpoint to overcome the 404 errors.
The API Manager uses and appends the API Resources that are defined at the end of the Production/Sandbox endpoints. So, when you are configuring an API and exposing that, you have to be sure of choosing the correct endpoints.
For example:
If you have an actual Backend server with the following endpoint https://backendserver/api/v1/get and https://backendserver/api/v1/post then you have to configure an API in the API Manager as following
Create an API with the following two resources
/get
/post
Configure the Production / Sandbox endpoints as https://backendserver/api/v1
Then, if you invoke the API with the API Manager endpoint (https://apimanager:8243/your-api/v1/get), the /get resource will get appended to the configured endpoint and the request will be served as https://backendserver/api/v1/get.
Hope this explains and gives you a brief understanding of the URL mappings in API Manager.

kubernetes authentication issue on httpd pod

keep getting this when trying to go to the web of a httpd pod, what permissions am i missing.
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "pods \"pod-httpd\" is forbidden: User \"system:anonymous\" cannot get resource \"pods\" in API group \"\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"name": "pod-httpd",
"kind": "pods"
},
"code": 403
}
The error is clear User "system:anonymous" means k8s recognising you as anonymous user and that is why it is giving forbidden reason for accessing the desired resources.
So, when you do curl https://<ip>:<port>/<endpoint> you are using TLS for the communication. In this type of communication you need to provide your CA (certificate authority, who signed your certificate) certificate, and your certificate and key to the curl like below, because in TLS server-client need to be verified.
curl https://<ip>:<port>/<endpoint> --key <your_key> --cert <your_cert> --cacert <ca_cert>
N.B: here you means the client

Create source representation instance

I followed the documentation to create an external replica of cloud SQL here. I have a MySQL instance with version 8.0 on Google cloud. I successfully created the external read replica. Now, I want to demote this replica to master. I need to create a source representation instance for that. I called the following API as mentioned in the documentation.
gcloud auth login
ACCESS_TOKEN="$(gcloud auth print-access-token)"
curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
--header 'Content-Type: application/json' \
--data '{
"name": "[SOURCE_REPRESENTATION_NAME]",
"region": "[REGION]",
"databaseVersion": "[EXTERNAL_SERVER_MYSQL_VERSION]",
"onPremisesConfiguration": {
"hostPort": "[EXTERNAL_SERVER_IP]:[EXTERNAL_SERVER_PORT]"
}
}' \
-X POST \
https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances
The API works when I set databaseVersion to 5. But it fails when I try to set to version 8.
{
"error": {
"code": 400,
"message": "Missing parameter: DatabaseVersion.",
"errors": [
{
"message": "Missing parameter: DatabaseVersion.",
"domain": "global",
"reason": "required"
}
]
}
}
Is the MySQL version 8 not supported for representational server?
From documentation:
databaseVersion should be the MySQL version running on your source database server. The choices are MYSQL_5_5, MYSQL_5_6, MYSQL_5_7 or MYSQL_8_0.

What are the acceptable values for EXTERNAL_MASTER_DATABASE_VERSION?

I'm trying to configure a remote master using Google Cloud's SQL service. I'm following the doc seen here.
I'm at step #1 which wants me to run the following CLI commands after replacing the tokens:
ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
--header 'Content-Type: application/json' \
--data '{"name": "[INTERNAL_MASTER_INSTANCE_NAME]",
"region": "[REGION_NAME]",
"databaseVersion": "[EXTERNAL_MASTER_DATABASE_VERSION]",
"onPremisesConfiguration": {"hostPort": "[IP_ADDRESS:PORT]"}}' \
-X POST \
https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances
I'm getting the following error due to the database version I've passed:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "invalid",
"message": "Invalid value for: 5.6 is not a valid value"
}
],
"code": 400,
"message": "Invalid value for: 5.6 is not a valid value"
}
}
I am running MySQL 5.6.33 as my master. I've tried 5.6, 5.6.33, 5, and I've even tried 1 thinking maybe the attribute ID is misleading and they really want to know which version of the SQL service I would like to use (Gen 1 or Gen 2 - remote masters are only supported in Gen 1).
My question is what are the accepted values for EXTERNAL_MASTER_DATABASE_VERSION? I can't seem to find anything in the docs.
You can find the possible values in the API reference [1]:
MYSQL_5_5
MYSQL_5_6
MYSQL_5_7
[1] https://cloud.google.com/sql/docs/admin-api/v1beta4/instances/insert#request-body