kubectl get cs prompt Error from server (Forbidden)

7/5/2018

When run kubectl get cs on centos 7 I got below error message.

No resources found.
Error from server (Forbidden): componentstatuses is forbidden: 
User "system:node:<server-name>" cannot list componentstatuses at the cluster scope

I can confirm the api server is running kubectl cluster-info

Kubernetes master is running at https://<server-IP>:6443
KubeDNS is running at https://<server-IP>:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

Also I have below in ~/.bash_profile

export http_proxy=http://<proxy-server-IP>:3128
export https_proxy=http://<proxy-server-IP>:3128
export no_proxy=$no_proxy,127.0.0.1,localhost,<server-IP>,<server-name>
export KUBECONFIG=/etc/kubernetes/kubelet.conf

Not only kubectl get cs yield the error message, kubectl apply -f kubernetes-dashboard.yaml yield similar error message

Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=secrets", GroupVersionKind: "/v1, Kind=Secret"
Name: "kubernetes-dashboard-certs", Namespace: "kube-system"
Object: &{map["kind":"Secret" "metadata":map["labels":map["k8s-app":"kubernetes-dashboard"] "name":"kubernetes-dashboard-certs" "namespace":"kube-system" "annotations":map["kubectl.kubernetes.io/last-applied-configuration":""]] "type":"Opaque" "apiVersion":"v1"]}
from server for: "https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml": 
secrets "kubernetes-dashboard-certs" is forbidden: 
User "system:node:<server-name>" cannot get secrets in the namespace "kube-system": 
no path found to object
-- Antelope
centos
kubernetes

3 Answers

7/5/2018

after reinstall centos 7 and follow below steps i am able to bring up the master properly

  1. install docker-ce and add proxy
  2. install kubeadm,kubectl,kubelet
  3. disable firewalld and turn off swap
  4. export no_proxy in .bash_profile

    export no_proxy=$no_proxy,127.0.0.1,localhost,<master-server-name>,<master-server-ip>,10.96.0.0/12,10.244.0.0/16

  5. kubeadm init

    kubeadm init --apiserver-advertise-address=<master-server-ip> --pod-network-cidr=10.244.0.0/16 mkdir -p $HOME/.kube \cp -f /etc/kubernetes/admin.conf $HOME/.kube/config chown $(id -u):$(id -g) $HOME/.kube/config

  6. test with kubectl get cs

    NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-0 Healthy {"health": "true"}

No need to manually install etcd nor export KUBECONFIG.

-- Antelope
Source: StackOverflow

7/6/2018

export KUBECONFIG=/etc/kubernetes/kubelet.conf

Is completely incorrect; you are, as the error message is cheerfully trying to inform you, attempting to perform cluster operations as a Node, not as one of the Users or ServiceAccounts. RBAC is almost explicitly designed to stop you from doing exactly what you are currently doing. You would never want a Node to be able to read sensitive credentials nor create arbitrary Pods at cluster scope.

If you want to be all caviler about it, then ssh into a master Node and use the cluster-admin credentials usually found in /etc/kubernetes/admin.conf (or a similar file -- depending on how your cluster was provisioned). If you don't already have a cluster-admin credential, then create an X.509 certificate that is signed by a CA that the apiserver trusts with an Organization (O= in X.509 parlance) of cluster-admin and then create yourself a ServiceAccount (or whatever) with a ClusterRoleBinding of cluster-admin and go from there.

-- mdaniel
Source: StackOverflow

12/11/2018

Try the below snippets

1) sudo su

2) kubectl get cs

-- RAVI
Source: StackOverflow