I created a cluster with kubeadm (well it's just a single node / master for now) however I seem to be having issues with authenticating as the admin user.
KUBECONFIG=/etc/kubernetes/kubelet.conf kubectl get sa
No resources found.
Error from server (Forbidden): serviceaccounts is forbidden: User "system:node:osboxes" cannot list serviceaccounts in the namespace "default": disabled by feature gate TokenRequest
I'm assuming that is the admin user? If not, where can I find it / authenticate with it?
Found it: export KUBECONFIG=/etc/kubernetes/admin.conf
Related
I deployed a Dashboard with: https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
I could create an user that can access the resources, but I have to log in with a token, I used: https://docs.aws.amazon.com/eks/latest/userguide/dashboard-tutorial.html
Then I wanted to log in without authentication, so I used: kubectl patch deployment kubernetes-dashboard -n kubernetes-dashboard --type ‘json’ -p ‘[{“op”: “add”, “path”: “/spec/template/spec/containers/0/args/-”, “value”: “–enable-skip-login”}]’
Then I can log-in skipping the authentication but the default user (or Service Account?) can’t see any resource (nodes, pods, services…)
Can you help me give permissions to the default user?
Thanks.
I expect all rescources to be shown on the Dashboard.
I have an operator whose code is not accessible
By default, the operator requires the rights to list all secrets with no "resource Names" restriction
I can't grant such rights. Is there anyway to keep the rights to list all secrets and prohibit list multiple secrets by name
I tried to give rights to the list with resourceNames, but the operator does not accept this behavior and writes an error on startup
failed to list v1.Secret: secrets is forbidden: User "system:serviceaccount:operator-*****" cannot list resource "secrets" in API group "" in the namespace "namespace-name"
failed to list v1.Secret: secrets is forbidden: User "system:serviceaccount:operator-*****" cannot list resource "secrets" in API group "" in the namespace "namespace-name"
The above error states that the operator with a service account does not have permission to list the secrets, to resolve your issue create role binding for service account as it not given access by default after creation, for adding a viewer (read only) role to service account run the following command:
For example, grant read-only permission within "my-namespace" to the "my-sa" service account:
kubectl create rolebinding my-sa-view \
--clusterrole=view \
--serviceaccount=my-namespace:my-sa \
--namespace=my-namespace
Found a similar stack question for more information.
I am trying to create an end point for an API to be deployed into existing GKE cluster by following the instructions in Getting started with Cloud Endpoints for GKE with ESPv2
I clone the sample code in the repo and modified the content of openapi.yaml:
# [START swagger]
swagger: "2.0"
info:
description: "A simple Google Cloud Endpoints API example."
title: "Endpoints Example"
version: "1.0.0"
host: "my-api.endpoints.my-project.cloud.goog"
I then deployed it via the command:
endpoints/getting-started (master) $ gcloud endpoints services deploy openapi.yaml
Now I can see that it has been created:
$ gcloud endpoints services list
NAME TITLE
my-api.endpoints.my-project.cloud.goog
I also have postgreSQL service account:
$ gcloud iam service-accounts list
DISPLAY NAME EMAIL DISABLED
my-postgresql-service-account my-postgresql-service-acco#my-project.iam.gserviceaccount.com False
In the section Endpoint Service Configuration of documentation it says to add the role to the attached service account for the endpoint service as follows, but I get this error:
$ gcloud endpoints services add-iam-policy-binding my-api.endpoints.my-project.cloud.goog
--member serviceAccount:my-postgresql-service-acco#my-project.iam.gserviceaccount.com
--role roles/servicemanagement.serviceController
ERROR: (gcloud.endpoints.services.add-iam-policy-binding) User [myusername#mycompany.com] does not have permission to access services instance [my-api.endpoints.my-project.cloud.goog:getIamPolicy] (or it may not exist): No access to resource: services/my-api.my-project.cloud.goog
The previous lines show the service exits, I guess? Now I am not sure how to resolve this? What permissions do I need? who can give me permission and what permissions he should have? how can I check? Is there any other solution?
The issue got resolved after I was assigned the role of "Project_Admin". It was not ideal as it was giving too much permission to me. The role "roles/endpoints.portalAdmin" was also tried but did not help.
I just started using OpenShift and have permissions problems. I am on the free trial for OpenShift 4.3.3 and cannot get my containers to run as root. I am the only user on my instance and I have admin, but it says I need cluster-admin to run the containers as root?
I tried running:
oc policy add-role-to-group cluster-admin anyuid
and that returned:
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io "cluster-admin" is forbidden: user "hustlin" (groups=["system:authenticated:oauth" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["*"], Resources:["*"], Verbs:["*"]}
{NonResourceURLs:["*"], Verbs:["*"]}
Going through OpenShift Online -> Administrator view -> User Management -> Roles -> cluster-admin -> Role Bindings, it states:
Restricted Access
You don't have access to this section due to cluster policy.
Error details
rolebindings.rbac.authorization.k8s.io is forbidden: User "hustlin" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
I feel like it should not be this difficult for me to run a container as root. Just testing out OpenShift and I haven't been able to successfully run a single container on the platform, they all eventually go to CrashLoopBackOff.
Yes, I did try the:
oc login -u system:admin
command and it prompted me for my password before returning:
error: username system:admin is invalid for basic auth
I even tried following this guide from the OpenShift blog, but it would not recognize oadm.
I have a gcp service account with kubernetes engine admin role, I get an error trying to create new cluster. Any ideas?
gcloud auth activate-service-account --key-file service_account.json
gcloud config set project my_proj_name
gcloud container clusters create dummy --num-nodes=3 -m n1-standard-8 --zone europe-west1-b
ERROR: (gcloud.container.clusters.create) ResponseError: code=400, message=The user does not have access to service account "default".
.
Issue solved after setting the service account role to the 'Editor' since kubernetes Engine Admin was not sufficient to create new cluster.
Seems your user does not have access to the service account or service account does not have the right role. You can check service account user role to your user and give Editor, compute admin and service account actor roles.