K
Q

kubectl get cs prompt Error from server (Forbidden)

7/5/2018

When run kubectl get cs on centos 7 I got below error message.

No resources found.
Error from server (Forbidden): componentstatuses is forbidden: 
User "system:node:<server-name>" cannot list componentstatuses at the cluster scope

I can confirm the api server is running kubectl cluster-info

Kubernetes master is running at https://<server-IP>:6443
KubeDNS is running at https://<server-IP>:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

Also I have below in ~/.bash_profile

export http_proxy=http://<proxy-server-IP>:3128
export https_proxy=http://<proxy-server-IP>:3128
export no_proxy=$no_proxy,127.0.0.1,localhost,<server-IP>,<server-name>
export KUBECONFIG=/etc/kubernetes/kubelet.conf

Not only kubectl get cs yield the error message, kubectl apply -f kubernetes-dashboard.yaml yield similar error message

Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=secrets", GroupVersionKind: "/v1, Kind=Secret"
Name: "kubernetes-dashboard-certs", Namespace: "kube-system"
Object: &{map["kind":"Secret" "metadata":map["labels":map["k8s-app":"kubernetes-dashboard"] "name":"kubernetes-dashboard-certs" "namespace":"kube-system" "annotations":map["kubectl.kubernetes.io/last-applied-configuration":""]] "type":"Opaque" "apiVersion":"v1"]}
from server for: "https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml": 
secrets "kubernetes-dashboard-certs" is forbidden: 
User "system:node:<server-name>" cannot get secrets in the namespace "kube-system": 
no path found to object
-- Antelope
centos
kubernetes

Similar Questions

chown: changing ownership of '/data/db': Operation not permitted
Bypassing login and passing env variables as url param in Jupyterhub kubernetes google cloud deployment
Connect to kubernetes engine from app engine
How to access the k8s services from AppEngine development server
What node field means in k8s volume.attachments?

3 Answers

7/5/2018

after reinstall centos 7 and follow below steps i am able to bring up the master properly

  1. install docker-ce and add proxy
  2. install kubeadm,kubectl,kubelet
  3. disable firewalld and turn off swap

  4. export no_proxy in .bash_profile

    export no_proxy=$no_proxy,127.0.0.1,localhost,<master-server-name>,<master-server-ip>,10.96.0.0/12,10.244.0.0/16

  5. kubeadm init

    kubeadm init --apiserver-advertise-address=<master-server-ip> --pod-network-cidr=10.244.0.0/16 mkdir -p $HOME/.kube \cp -f /etc/kubernetes/admin.conf $HOME/.kube/config chown $(id -u):$(id -g) $HOME/.kube/config

  6. test with kubectl get cs

    NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-0 Healthy {"health": "true"}

No need to manually install etcd nor export KUBECONFIG.

-- Antelope
Source: StackOverflow
7/6/2018

export KUBECONFIG=/etc/kubernetes/kubelet.conf

Is completely incorrect; you are, as the error message is cheerfully trying to inform you, attempting to perform cluster operations as a Node, not as one of the Users or ServiceAccounts. RBAC is almost explicitly designed to stop you from doing exactly what you are currently doing. You would never want a Node to be able to read sensitive credentials nor create arbitrary Pods at cluster scope.

If you want to be all caviler about it, then ssh into a master Node and use the cluster-admin credentials usually found in /etc/kubernetes/admin.conf (or a similar file -- depending on how your cluster was provisioned). If you don't already have a cluster-admin credential, then create an X.509 certificate that is signed by a CA that the apiserver trusts with an Organization (O= in X.509 parlance) of cluster-admin and then create yourself a ServiceAccount (or whatever) with a ClusterRoleBinding of cluster-admin and go from there.

-- mdaniel
Source: StackOverflow
12/11/2018

Try the below snippets

1) sudo su

2) kubectl get cs

-- RAVI
Source: StackOverflow