kubectl - error: You must be logged in to the server on bare-metal

12/16/2019

I created the csr and approved it -

$ kubectl get csr
NAME        AGE   REQUESTOR          CONDITION
parth-csr   28m   kubernetes-admin   Approved,Issued

Created the certificate using kubectl only with username parth and group devs

        Issuer: CN=kubernetes
        Validity
            Not Before: Dec 16 18:51:00 2019 GMT
            Not After : Dec 15 18:51:00 2020 GMT
        Subject: O=devs, CN=parth
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:

Here, I want to do the authentication on the basis of group - devs.

Clusterrole.yaml is as follows -

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: devs
rules:
  - apiGroups: [""]
    resources: ["nodes", "pods", "secrets", "pods", "pods/log", "configmaps", "services", "endpoints", "deployments", "jobs", "crontabs"]
    verbs: ["get", "watch", "list"]

Clusterrolebinding.yaml as

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: devs-clusterrolebinding
subjects:
- kind: Group
  name: devs # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: devs
  apiGroup: rbac.authorization.k8s.io

Kubeconfig file is as follows -

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: XXXXXXXXXXXXX
    server: https://XX.XX.XX.XX:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: parth
  name: dev
current-context: "dev"
kind: Config
preferences: {}
users:
- name: parth
  user:
    client-certificate: /etc/kubernetes/access-credentials/parth/parth.crt
    client-key: /etc/kubernetes/access-credentials/parth/parth.key

As I want to do auth using group only, I am getting the following error -

$ kubectl get nodes
error: You must be logged in to the server (Unauthorized)

I am running k8s on bare-metal. Group based auth reference from offical docs - https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding

-- Parth Wadhwa
kubernetes
rbac

2 Answers

12/17/2019

After manually signing the certificate using apiserver ca, it got fixed.

-- Parth Wadhwa
Source: StackOverflow

12/16/2019

I see you have given permission to groups and not to a user . In that case you need to use impersonation as group

kubectl get nodes --as-group=devs
-- Shambu
Source: StackOverflow