K
Q

Kubeconfig context returns "You must be logged in to the server (Unauthorized) error

6/7/2019

I am running kube on a cluster of nodes. When i set the context on the cluster I get an error that says "error: You must be logged in to the server (Unauthorized)" when i try to run kubectl get pods

If I unset the current-context the error goes away and i can view my pods and nodes. So my guess is it has something to do with my kubeconfig but I'm not sure where i got it wrong.

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /home/user/ssl/ca.pem
    server: https://<ip for my master node>
  name: default-cluster
contexts:
- context:
    cluster: default-cluster
    user: user
  name: kubeflow
current-context: kubeflow
kind: Config
preferences: {}
users:
- name: user
  user:
    client-certificate: /home/user/ssl/client-ca.pem
    client-key: /home/user/ssl/client-ca-key.pem

EDIT:

Kube version 1.14

user@kube01:~$ kubectl  version
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1", GitCommit:"b7394102d6ef778017f2ca4046abbaa23b88c290", GitTreeState:"clean", BuildDate:"2019-04-08T17:11:31Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1", GitCommit:"b7394102d6ef778017f2ca4046abbaa23b88c290", GitTreeState:"clean", BuildDate:"2019-04-08T17:02:58Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"linux/amd64"}
  • Running on a cluster with 3 master nodes and 4 workers. Not on GCP or any cloud platform
-- Chirrut Imwe
kubernetes

Similar Questions

How to parse echo json value?
Deploying Strapi on Kubernetes (GKE)
Traefik load balancing weight not working as per expectation
Can not deploy container on gcloud

1 Answer

6/7/2019

If I unset the current-context the error goes away and i can view my pods and nodes. So my guess is it has something to do with my kubeconfig but I'm not sure where i got it wrong.

That very likely means you are running kubectl on the master nodes themselves, and the master nodes are listening on :8080 with the unauthenticated port (since kubectl uses http://127.0.0.1:8080 by default if there is no kubeconfig)

So yes, it's very likely due to your cert being signed by a CA that the apiserver does not trust.

You can check that via:

openssl x509 -in /home/user/ssl/client-ca.pem -noout -text

and then look at the CA and compare the issuer from your client-ca against the subject of your CA:

openssl x509 -in /home/user/ssl/ca.pem -noout -text

I am sure there are some fingerprints and serial numbers and that kind of stuff that need to match up, but I don't have that openssl command line handy

-- mdaniel
Source: StackOverflow