kubernetes: Error from server (Forbidden): User "system:anonymous" cannot list nodes at the cluster scope even after granting permission

kubernetes openid-connect kubeadm
NSP picture NSP · Aug 10, 2017 · Viewed 11.5k times · Source

Even after granting cluster roles to user, I get Error from server (Forbidden): User "system:anonymous" cannot list nodes at the cluster scope. (get nodes)

I have the following set for the user:

- context:
    cluster: kubernetes
    user: [email protected]
  name: user@kubernetes`  set in the ~/.kube/config file

and the below added to admin.yaml to create cluster-role and cluster-rolebindings:

kind: CluserRouster: kubernetes    user: [email protected]  name: nsp@kubernetese
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admin-role
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
---
oidckind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admin-binding
subjects:
  - kind: User
    name: [email protected]
roleRef:
  kind: ClusterRole
  name: admin-role

When I try the command I still get error.

kubectl [email protected] get nodes
Error from server (Forbidden): User "system:anonymous" cannot list nodes at the cluster scope. (get nodes)

Can someone please suggest on how to proceed.

Answer

Lorenz picture Lorenz · Aug 11, 2017

Your problem is not with your ClusterRoleBindings but rather with user authentication. Kubernetes tells you that it identified you as system:anonymous (which is similar to *NIX's nobody) and not [email protected] (to which you applied your binding).

In your specific case the reason for that is that the username flag uses HTTP Basic authentication and needs the password flag to actually do anything. But even if you did supply the password, you'd still need to actually tell the API server to accept that specific user.

Have a look at this part of the Kubernetes documentation which deals with different methods of authentication. For the username and password authentication to work, you'd want to look at the Static Password File section, but I would actually recommend you go with X509 Client Certs since they are more secure and are operationally much simpler (no secrets on the Server, no state to replicate between API servers).

Related questions

Restart container within pod

I have a pod test-1495806908-xn5jn with 2 containers. I'd like to restart one of them called container-test. Is it possible to restart a single container within a pod and how? If not, how do I restart the pod? The …

Read More
Command to delete all pods in all kubernetes namespaces

Upon looking at the docs, there is an API call to delete 'a' pod, but is there a way to kill all pods in all namespaces?

Read More
How can I keep a container running on Kubernetes?

I'm now trying to run a simple container with shell (/bin/bash) on a Kubernetes cluster. I thought that there was a way to keep a container running on a Docker container by using pseudo-tty and detach option (-td option …

Read More