Facing issue with cluster setup

[jame...@gmail.com]

Hello, I am a newbie to Kubernetes world.
Am facing some issues with my cluster setup.
Getting below error while running:

[root@vmdoccXXXX alwin]# kubectl apply -f https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc420316300 0xc4201469a0 kube-system calico-config https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc4212c6748 false}
from server for: "https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": configmaps "calico-config" is forbidden: User "system:node:vmdoccXXXX.example.com" cannot get configmaps in the namespace "kube-system": no path found to object
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc420316480 0xc4203bf180 kube-system calico-etcd https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc422974078 false}
from server for: "https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": daemonsets.extensions "calico-etcd" is forbidden: User "system:node:vmdoccXXXX.example.com" cannot get daemonsets.extensions in the namespace "kube-system"
Error from server (Forbidden): error when creating "https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": services is forbidden: User "system:node:vmdoccXXXX.example.com" cannot create services in the namespace "kube-system"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc4200f6a80 0xc420208700 kube-system calico-node https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a098 false}
from server for: "https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": daemonsets.extensions "calico-node" is forbidden: User "system:node:vmdoccXXXX.example.com" cannot get daemonsets.extensions in the namespace "kube-system"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc4200f6e40 0xc4203e42a0 kube-system calico-kube-controllers https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a148 false}
from server for: "https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": deployments.extensions "calico-kube-controllers" is forbidden: User "system:node:vmdoccXXXX.example.com" cannot get deployments.extensions in the namespace "kube-system"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc4200f7080 0xc420306d90 calico-cni-plugin https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a1e0 false}
from server for: "https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": clusterrolebindings.rbac.authorization.k8s.io "calico-cni-plugin" is forbidden: User "system:node:vmdoccXXXX.example.com" cannot get clusterrolebindings.rbac.authorization.k8s.io at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc4200f7140 0xc4205ba230 calico-cni-plugin https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a298 false}
from server for: "https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": clusterroles.rbac.authorization.k8s.io "calico-cni-plugin" is forbidden: User "system:node:vmdoccXXXX.example.com" cannot get clusterroles.rbac.authorization.k8s.io at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc4200f7200 0xc4205baee0 kube-system calico-cni-plugin https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a320 false}
from server for: "https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": serviceaccounts "calico-cni-plugin" is forbidden: User "system:node:vmdoccXXXX.example.com" cannot get serviceaccounts in the namespace "kube-system"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc4200f72c0 0xc4206203f0 calico-kube-controllers https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a3a8 false}
from server for: "https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": clusterrolebindings.rbac.authorization.k8s.io "calico-kube-controllers" is forbidden: User "system:node:vmdoccXXXX.example.com" cannot get clusterrolebindings.rbac.authorization.k8s.io at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc4200f7380 0xc420621b90 calico-kube-controllers https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a450 false}
from server for: "https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": clusterroles.rbac.authorization.k8s.io "calico-kube-controllers" is forbidden: User "system:node:vmdoccXXXX.example.com" cannot get clusterroles.rbac.authorization.k8s.io at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc4200f7440 0xc420c42770 kube-system calico-kube-controllers https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a4c0 false}
from server for: "https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": serviceaccounts "calico-kube-controllers" is forbidden: User "system:node:vmdoccXXXX.example.com" cannot get serviceaccounts in the namespace "kube-system"

Seems like I am missing something.
Any help is much appreciated. :-)

Regards,
Alwin

[Matthias Rampke]

It looks like you're having permissions issues. Check your RBAC roles and bindings. Which credentials is kubectl using? What permissions do these have?

(I'm afraid that's as far as I can help you, my knowledge here is hazy).

/MR

--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-use...@googlegroups.com.
To post to this group, send email to kubernet...@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

[alwin james]

Thank You, MR for the reply.

The goal here is to enable kubernetes dashboard.

It looks like I am using 'system:node:' role and it is trying to touch 'kube-system' namespace which it does not have enough privilege to.

What are the recommendations here?

Do you recommend any good read that deals with editing/playing with RBAC?

Also, somewhere I found that messing with 'system:node:' is not recommended. 

Regards,

Alwin

/MR

To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.

Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/kubernetes-users/UzOfzyW1WsA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to kubernetes-users+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.

[alwin james]

Adding more info:

I just did kubeadm reset and then kubeadm init again.

Those went well, however issuing following throws error:

[root@vmdoccXXXX ~]# kubectl get namespaces

Error from server (Forbidden): namespaces is forbidden: User "system:node:vmdoccXXXX.example.com" cannot list namespaces at the cluster scope

On Tue, Mar 6, 2018 at 10:39 AM, alwin james <jame...@gmail.com> wrote:

Thank You, MR for the reply.

The goal here is to enable kubernetes dashboard.

It looks like I am using 'system:node:' role and it is trying to touch 'kube-system' namespace which it does not have enough privilege to.

What are the recommendations here?

Do you recommend any good read that deals with editing/playing with RBAC?

Also, somewhere I found that messing with 'system:node:' is not recommended. 

Regards,

Alwin

[Jordan Liggitt]

Take a look at the output of the kubeadm init command, especially the part that describes setting up your kubeconfig file.

That should help set up kubectl to run as a superuser, not with a node identity which is considerably more limited.

[alwin james]

Thank You, Jordan for your help.

Following is what I see when doing 'kubeadm init':

[root@vmdoccXXXX ~]# kubeadm init

[init] Using Kubernetes version: v1.9.3

[init] Using Authorization modes: [Node RBAC]

[preflight] Running pre-flight checks.

        [WARNING FileExisting-crictl]: crictl not found in system path

[preflight] Starting the kubelet service

[certificates] Generated ca certificate and key.

[certificates] Generated apiserver certificate and key.

[certificates] apiserver serving cert is signed for DNS names [vmdoccXXXX.example.com kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 10.10.72.176]

[certificates] Generated apiserver-kubelet-client certificate and key.

[certificates] Generated sa key and public key.

[certificates] Generated front-proxy-ca certificate and key.

[certificates] Generated front-proxy-client certificate and key.

[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"

[kubeconfig] Wrote KubeConfig file to disk: "admin.conf"

[kubeconfig] Wrote KubeConfig file to disk: "kubelet.conf"

[kubeconfig] Wrote KubeConfig file to disk: "controller-manager.conf"

[kubeconfig] Wrote KubeConfig file to disk: "scheduler.conf"

[controlplane] Wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/manifests/kube-apiserver.yaml"

[controlplane] Wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/manifests/kube-controller-manager.yaml"

[controlplane] Wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/manifests/kube-scheduler.yaml"

[etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml"

[init] Waiting for the kubelet to boot up the control plane as Static Pods from directory "/etc/kubernetes/manifests".

[init] This might take a minute or longer if the control plane images have to be pulled.

[apiclient] All control plane components are healthy after 34.502297 seconds

[uploadconfig] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace

[markmaster] Will mark node vmdoccXXXX.example.com as master by adding a label and a taint

[markmaster] Master vmdoccXXXX.example.com tainted and labelled with key/value: node-role.kubernetes.io/master=""

[bootstraptoken] Using token: 2a38ea.4c715861691e6fcc

[bootstraptoken] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials

[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token

[bootstraptoken] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster

[bootstraptoken] Creating the "cluster-info" ConfigMap in the "kube-public" namespace

[addons] Applied essential addon: kube-dns

[addons] Applied essential addon: kube-proxy

Your Kubernetes master has initialized successfully

How can I setup kubectl to run as superuser?

Any help is really appreciated.

Regards,

Alwin

On Tue, Mar 6, 2018 at 9:47 PM, Jordan Liggitt <jlig...@redhat.com> wrote:

Take a look at the output of the kubeadm init command, especially the part that describes setting up your kubeconfig file.

That should help set up kubectl to run as a superuser, not with a node identity which is considerably more limited.