K
Q

kubernetes: Error from server (Forbidden): User "system:anonymous" cannot list nodes at the cluster scope even after granting permission

8/10/2017

Even after granting cluster roles to user, I get Error from server (Forbidden): User "system:anonymous" cannot list nodes at the cluster scope. (get nodes)

I have the following set for the user:

- context:
    cluster: kubernetes
    user: user@gmail.com
  name: user@kubernetes`  set in the ~/.kube/config file

and the below added to admin.yaml to create cluster-role and cluster-rolebindings:

kind: CluserRouster: kubernetes    user: nsp@gmail.com  name: nsp@kubernetese
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admin-role
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
---
oidckind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admin-binding
subjects:
  - kind: User
    name: nsp@gmail.com
roleRef:
  kind: ClusterRole
  name: admin-role

When I try the command I still get error.

kubectl --username=user@gmail.com get nodes
Error from server (Forbidden): User "system:anonymous" cannot list nodes at the cluster scope. (get nodes)

Can someone please suggest on how to proceed.

-- NSP
kubeadm
kubernetes
openid-connect

Similar Questions

Is there any existing automation tools to deploy Kubernetes HA cluster?
Is it possible to specific custom rules for running new containers in Kubernetes/Docker?
How to deploy discuz forum on k8s cluster
How does kubernetes maintain the deployment yaml internally. Where will be it stored after the first deployment

2 Answers

8/11/2017

Your problem is not with your ClusterRoleBindings but rather with user authentication. Kubernetes tells you that it identified you as system:anonymous (which is similar to *NIX's nobody) and not nsp@example.com (to which you applied your binding).

In your specific case the reason for that is that the username flag uses HTTP Basic authentication and needs the password flag to actually do anything. But even if you did supply the password, you'd still need to actually tell the API server to accept that specific user.

Have a look at this part of the Kubernetes documentation which deals with different methods of authentication. For the username and password authentication to work, you'd want to look at the Static Password File section, but I would actually recommend you go with X509 Client Certs since they are more secure and are operationally much simpler (no secrets on the Server, no state to replicate between API servers).

-- Lorenz
Source: StackOverflow
3/6/2019

In my case i was receiving nearly similar error due to RBAC

Error

root@k8master:~# kubectl cluster-info dump --insecure-skip-tls-verify=true
Error from server (Forbidden): nodes is forbidden: User "system:anonymous" cannot list resource "nodes" in API group "" at the cluster scope

Solution: As Solution i have done below things to reconfigure my user to access cluster

cd $HOME
sudo whoami
sudo cp /etc/kubernetes/admin.conf $HOME/
sudo chown $(id -u):$(id -g) $HOME/admin.conf
export KUBECONFIG=$HOME/admin.conf
echo "export KUBECONFIG=$HOME/admin.conf" | tee -a ~/.bashrc

After doing above when i take cluster dump i got result

root@k8master:~# kubectl cluster-info
Kubernetes master is running at https://192.168.10.15:6443
KubeDNS is running at https://192.168.10.15:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
-- Mansur Ali
Source: StackOverflow