why i set --token-auth-file on api-server and set --bootstrap-kubeconfig on the worker node, i was specified the username is "kubelet-bootstrap" on apiserver and the worker node, and i got the error says User "system:anonymous" ?
error: failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:anonymous" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope
kubernetes version v1.8.3
below is my configuration
apiserver:
/usr/local/bin/kube-apiserver --etcd-servers=http://127.0.0.1:2379
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
--service-account-key-file=/srv/kubernetes/pubkey.pem
--service-cluster-ip-range=10.96.0.0/16
--allow-privileged=true
--authorization-mode=RBAC
--enable-bootstrap-token-auth=true
--token-auth-file=/var/lib/kubernetes/bootstrap.csv
--client-ca-file=/var/lib/kubernetes/cacert.pem
--tls-cert-file=/var/lib/kubernetes/servercert.pem
--tls-private-key-file=/var/lib/kubernetes/serverkey.pem
--address=172.18.11.249
--insecure-bind-address=127.0.0.1
--advertise-address=172.18.11.249
--audit-log-maxage=30
--audit-log-maxsize=100
--audit-log-path=/var/log/kube-apiserver.log
--v=4
1>>/var/log/kube-apiserver.log 2>&1
/var/lib/kubernetes/bootstrap.csv
0d681e2438667d2b5236ad7385d80ddc,kubelet-bootstrap,10001,"system:kubelet-bootstrap"worker node:
/usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubelet/bootstrap.kubeconfig.yaml
--pod-manifest-path=/etc/kubernetes/manifests
--node-labels=node-role.kubernetes.io/worker=
--node-ip=172.18.10.16
--allow-privileged
--v=4/etc/kubelet/bootstrap.kubeconfig.yaml
apiVersion: v1
clusters:
- cluster:
server: https://172.18.11.249:6443/
name: myk8s
contexts:
- context:
cluster: myk8s
name: myk8s
current-context: myk8s
kind: Config
preferences: {}
users:
- name: kubelet-bootstrap
user:
as-user-extra: {}
token: 0d681e2438667d2b5236ad7385d80ddclog from worker node
I0821 08:49:50.916993 6232 bootstrap.go:57] Using bootstrap kubeconfig to generate TLS client cert, key and kubeconfig file
error: failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:anonymous" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope
log from apiserver
I0821 08:05:05.726968 5 rbac.go:116] RBAC DENY: user "system:anonymous" groups ["system:unauthenticated"] cannot "create" resource "certificatesigningrequests.certificates.k8s.io" cluster-wide I0821 08:05:05.727015 5 authorization.go:59] Forbidden: "/apis/certificates.k8s.io/v1beta1/certificatesigningrequests", Reason: ""
thanks for the help
The token format in your bootstrap.kubeconfig.yaml looks different than usual tokens that are generated by kubeadm.
According to the article Authenticating with Bootstrap Tokens:
Token Format
Bootstrap Tokens take the form of abcdef.0123456789abcdef. More formally, they must match the regular expression [a-z0-9]{6}.[a-z0-9]{16}.
The first part of the token is the “Token ID” and is considered public information. It is used when referring to a token without leaking the secret part used for authentication. The second part is the “Token Secret” and should only be shared with trusted parties.
Consider reading the previous and this article to understand how the Bootstrap Token idea is implemented.
I would say you don't have the clusterrolebindings for system:anonymous, as by default it is disabled to protect the cluster from DoS attacks.
There is a configMap in a kube-public namespace that should be used for TLS bootstrapping. If a node wants to join the cluster automatically, it needs some information. This is when comes in this configMap. But the node has to have the permissions to read the file.