I am trying to add Kubernetes as cloud to Jenkins server with the appropriate Kubernetes URL and other details. When i add the details and test the connection i get the following error
Error connecting to https://192.168.X.XX:6443: Failure executing: GET at: https://192.168.X.XX:6443/api/v1/namespaces/default/pods. Message: User "system:anonymous" cannot list pods in the namespace "default".."
I tried to perform curl with --insecure option but the same following error is logged.
Message: User "system:anonymous" cannot list pods in the namespace "default".."
I tried to add jenkins and the user credentials to login to jenkins as clusteradminrole using the following kubectl command
kubectl create rolebinding jenkins-admin-binding --clusterrole=admin --user=jenkins--namespace=default
But still the same error.
Anything is missing?
EDIT 1: Have tried to do the following as suggested
openssl genrsa -out jenkins.key 2048
openssl req -new -key jenkins.key -out jenkins.csr -subj "/CN=jenkins/O=admin_jenkins"
openssl x509 -req -in jenkins.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out jenkins.crt -days 500
kubectl config set-credentials jenkins --client-certificate=/root/pods/admin_jenkins/.certs/jenkins.crt --client-key=/root/pods/admin_jenkins/.certs/jenkins.key
kubectl config set-context jenkins-context --cluster=kubernetes --namespace=default --user=jenkins
kubectl create -f role.yaml (Role file as described)
kubectl create -f role-binding.yaml
even after this
kubectl --context=jenkins-context get deployments
gives the following error
"Error from server (Forbidden): User "jenkins" cannot list deployments.extensions in the namespace "default". (get deployments.extensions)"Update 2:
after following above steps
"kubectl --context=jenkins-context get deployments" was successful.
i did the whole exercise after doing a kubeadm reset and it workedBut the problem still remains of integrating K8 with Jenkins when i am trying to add it as a cloud using its plugin.
Did you define the role admin? if not define the admin role. below document your refer it.
https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/
Update: 1. you can create file role.yaml like this and create role. then run kubectl apply -f role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: admin
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]you need to pass the client certificate with this role to authenticate.
from your second question your trying to use this account to authenticate jenkin application user. I am not sure this method will work for you.
update on 9/25/17
Username: admin
Group: jenkins
openssl genrsa -out admin.key 2048
openssl req -new -key admin.key -out admin.csr -subj "/CN=admin/O=jenkins"
#Run this as root user in master node
openssl x509 -req -in admin.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out admin.crt -days 500
mkdir .certs/
mv admin.* .certs/
kubectl config set-credentials admin --client-certificate=/home/jenkin/.certs/admin.crt --client-key=/home/jenkin/.certs/admin.key
kubectl config set-context admin-context --cluster=kubernetes --namespace=jenkins --user=admin Save this in the file and create role
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: jenkins
name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: deployment-manager-binding
namespace: jenkins
subjects:
- kind: User
name: admin
apiGroup: ""
roleRef:
kind: Role
name: deployment-manager
apiGroup: ""Run the get pods command
kubectl --context=admin-context get pods