I have followed these instructions to create normal user in Kubernetes and generated client certificate https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user
When I try to send a request to the API server using curl by providing the certificate and key, response comes back as "message": "forbidden: User \"system:anonymous\" cannot get path \"/apis\"
curl -k -v -L --cert ./userone.crt --key ./userone.key -k --request GET https://<host>:443/apis\?timeout\=32s
<Removed some text>
HTTP/1.1 403 Forbidden
< Server: nginx/1.12.2
< Date: Tue, 02 Nov 2021 21:53:03 GMT
< Content-Type: application/json
< Content-Length: 237
< Connection: keep-alive
< Cache-Control: no-cache, private
< X-Content-Type-Options: nosniff
<
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/apis\"",
"reason": "Forbidden",
"details": {
},
"code": 403Also tried impersonating this user where I had elevated access, this new user is able access pods as configured in the clusterrole and rolebinding. This atleast proves that authorization is working.
kubectl auth can-i -n xyz get pods --as=userone
yesIssue seems to be that new user doesn't have access to /apis end point on the API server. Tried adding nonResourceURLs as part of the ClusterRole but that didn't help either.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: read-only-role
rules:
- apiGroups:
- ""
resources: ["*"]
verbs:
- get
- list
- watch
- nonResourceURLs:
- /metrics
- /api/*
- /apis/*
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-only-binding
namespace: xyz
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: read-only
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: useroneWe are using Kubernetes version 1.18.17 and API server is configured with --client-ca-file option as well. Appreciate your help on this.