K
Q

api request other than /api/v1 return 403 "Forbidden"

3/4/2018

Hi I installed a fresh kubernetes cluster on Ubuntu 16.04 using this tutorial:
https://blog.alexellis.io/kubernetes-in-10-minutes/

However as soon as I try to access my api (for example: https://[server-ip]:6443 /api/v1/namespaces) I get the following message

{
    "kind": "Status",
    "apiVersion": "v1",
    "metadata": {},
    "status": "Failure",
    "message": "namespaces is forbidden: User \"system:bootstrap:a916af\" cannot list namespaces at the cluster scope",
    "reason": "Forbidden",
    "details": {
        "kind": "namespaces"
    },
    "code": 403
}

Does anyone know how to fix this or what I am doing wrong?

-- Bart de Lange
kubernetes

Similar Questions

Jenkins pipeline No signature of method: java.util.Collections$UnmodifiableMap.$()
Is there a way to mount docker socket from one to container to another?
Unable to access Kubernetes Dashboard via kubeconfig
client certificate needed when configuring kubectl

2 Answers

4/15/2019

You should bind service account system:serviceaccount:default:default (which is the default account bound to Pod) with role cluster-admin, just create a yaml (named like fabric8-rbac.yaml) with following contents:

I solve it by create

# NOTE: The service account `default:default` already exists in k8s cluster.
# You can create a new account following like this:
#---
#apiVersion: v1
#kind: ServiceAccount
#metadata:
#  name: <new-account-name>
#  namespace: <namespace>

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: fabric8-rbac
subjects:
  - kind: ServiceAccount
    # Reference to upper's `metadata.name`
    name: default
    # Reference to upper's `metadata.namespace`
    namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

kubectl apply -f fabric8-rbac.yaml
-- yasin lachini
Source: StackOverflow
3/4/2018

While I haven't run through that tutorial, the service account with which you're making the request doesn't have access to cluster-level information, like listing namespaces. RBAC (Role-Based Access Control) binds users with either a Role or a ClusterRole, which grant them different permissions. My guess is that service account shouldn't ever need to know what other namespaces exist, therefore doesn't have access to list them.

In terms of "fixing" this, aside from creating a serviceaccount/user with correct permissions, that tutorial makes several references to a config file stored at $HOME/.kube/config, which stores the credentials for a user that should have access to cluster-level resources, including listing namespaces. You could start there.

-- Grant David Bachman
Source: StackOverflow