Why would kubectl logs return Authorization error?

3/11/2021

I am trying to get logs from a pod that is running using kubectl logs grafana-6bfd846fbd-nbv8r and I am getting the following output:

Error from server (InternalError): Internal error occurred: Authorization error (user=kube-apiserver, verb=get, resource=nodes, subresource=proxy)

I tried to figure why I would not have this specific authorisation even though I can manage everything with this user, no clue. The weirdest is that when I run kubectl auth can-i get pod/logs I get:

yes

After a few hours of going through ClusterRoles and ClusterRoleBindings, I am getting stuck and do know what to do to be authorized. Thanks for your help!

-- Mathieu Défosse
k3s
kubectl
kubernetes

1 Answer

3/12/2021

The failure is kube-apiserver trying to access the kubelet, not related to your user. This indicates your core system RBAC rules might be corrupted, check if your installer or K8s distro has a way to validate or repair them (most don't) or make a new cluster and compare them to that.

-- coderanger
Source: StackOverflow