Skip to content

Error : forbidden: User \"system:anonymous\" cannot get path \"/\". #81

New issue
New issue
Closed
Closed
Error : forbidden: User \"system:anonymous\" cannot get path \"/\".#81
@zufardhiyaulhaq

Description

@zufardhiyaulhaq
zufardhiyaulhaq
opened on Jul 7, 2018 · edited by zufardhiyaulhaq

Hi, im trying to run auto-scaling in kubernetes with metrics-server. but the target give error 

ubuntu@master:~/auto-scaling$ kubectl get hpa
NAME         REFERENCE               TARGETS         MINPODS   MAXPODS   REPLICAS   AGE
php-apache   Deployment/php-apache   <unknown>/50%   1         10        0          10s

and when im trying to get the metrics-server with

> ubuntu@master:~/auto-scaling$ kubectl get svc --all-namespaces
> NAMESPACE     NAME             TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE
> default       kubernetes       ClusterIP   10.96.0.1        <none>        443/TCP         1d
> default       php-apache       ClusterIP   10.101.201.103   <none>        80/TCP          1m
> kube-system   kube-dns         ClusterIP   10.96.0.10       <none>        53/UDP,53/TCP   1d
> kube-system   metrics-server   ClusterIP   10.110.186.18    <none>        443/TCP         1d
> ubuntu@master:~/auto-scaling$ curl https://10.110.186.18 -k
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "forbidden: User \"system:anonymous\" cannot get path \"/\".",
>   "reason": "Forbidden",
>   "details": {},
>   "code": 403
> }
> ubuntu@master:~/auto-scaling$

i cant access the metrics-server. im deploying fresh kubernetes with kubeadm.

ubuntu@master:~/auto-scaling$ kubectl describe pod metrics-server-86bd9d7667-ghl8h -n kube-system
Name:           metrics-server-86bd9d7667-ghl8h
Namespace:      kube-system
Node:           worker0/10.200.200.20
Start Time:     Fri, 06 Jul 2018 04:48:37 +0200
Labels:         k8s-app=metrics-server
                pod-template-hash=4268583223
Annotations:    <none>
Status:         Running
IP:             10.244.1.30
Controlled By:  ReplicaSet/metrics-server-86bd9d7667
Containers:
  metrics-server:
    Container ID:  docker://7c7b6e4595225c479ae21d1075630402329c722eff93ad3534effe6bbaffea56
    Image:         gcr.io/google_containers/metrics-server-amd64:v0.2.1
    Image ID:      docker-pullable://gcr.io/google_containers/metrics-server-amd64@sha256:49a9f12f7067d11f42c803dbe61ed2c1299959ad85cb315b25ff7eef8e6b8892
    Port:          <none>
    Host Port:     <none>
    Command:
      /metrics-server
      --source=kubernetes.summary_api:''
    State:          Running
      Started:      Fri, 06 Jul 2018 04:48:49 +0200
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from metrics-server-token-8rgcx (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             True 
  ContainersReady   True 
  PodScheduled      True 
Volumes:
  metrics-server-token-8rgcx:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  metrics-server-token-8rgcx
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:          <none>
ubuntu@master:~/auto-scaling$ kubectl get node
NAME      STATUS    ROLES     AGE       VERSION                                                                                                                                                                     
master    Ready     master    1d        v1.11.0                                                                                                                                                                     
worker0   Ready     <none>    1d        v1.11.0                                                                                                                                                                     
ubuntu@master:~/auto-scaling$

Activity

zufardhiyaulhaq

zufardhiyaulhaq commented on Jul 7, 2018

@zufardhiyaulhaq
zufardhiyaulhaq
on Jul 7, 2018 · edited by zufardhiyaulhaq
Author

im successfully deploy the metrics-server

ubuntu@worker0:~$ sudo docker container ls
CONTAINER ID        IMAGE                                                                                                                   COMMAND                  CREATED             STATUS              PORTS               NAMES
e719b2594693        4f4978a87f1e                                                                                                            "docker-php-entryp..."   11 minutes ago      Up 11 minutes                           k8s_php-apache_php-apache-7fc544fdd7-bcj69_default_bc9c1da1-81ba-11e8-b71f-5254003790ea_0
fbc19c3b183d        k8s.gcr.io/pause:3.1                                                                                                    "/pause"                 11 minutes ago      Up 11 minutes                           k8s_POD_php-apache-7fc544fdd7-bcj69_default_bc9c1da1-81ba-11e8-b71f-5254003790ea_0
7c7b6e459522        gcr.io/google_containers/metrics-server-amd64@sha256:49a9f12f7067d11f42c803dbe61ed2c1299959ad85cb315b25ff7eef8e6b8892   "/metrics-server -..."   29 hours ago        Up 29 hours                             k8s_metrics-server_metrics-server-86bd9d7667-ghl8h_kube-system_153a660a-80c7-11e8-92cd-5254003790ea_0
cb8d4ab0201b        k8s.gcr.io/pause:3.1                                                                                                    "/pause"                 29 hours ago        Up 29 hours                             k8s_POD_metrics-server-86bd9d7667-ghl8h_kube-system_153a660a-80c7-11e8-92cd-5254003790ea_0
08acb4434286        f0fad859c909                                                                                                            "/opt/bin/flanneld..."   29 hours ago        Up 29 hours                             k8s_kube-flannel_kube-flannel-ds-d4shg_kube-system_f40b53f5-80c6-11e8-92cd-5254003790ea_0
ba91d22410c4        1d3d7afd77d1                                                                                                            "/usr/local/bin/ku..."   29 hours ago        Up 29 hours                             k8s_kube-proxy_kube-proxy-pmlz4_kube-system_f40b42a8-80c6-11e8-92cd-5254003790ea_0
21d479fb3101        k8s.gcr.io/pause:3.1                                                                                                    "/pause"                 29 hours ago        Up 29 hours                             k8s_POD_kube-proxy-pmlz4_kube-system_f40b42a8-80c6-11e8-92cd-5254003790ea_0
0932f1058009        k8s.gcr.io/pause:3.1                                                                                                    "/pause"                 29 hours ago        Up 29 hours                             k8s_POD_kube-flannel-ds-d4shg_kube-system_f40b53f5-80c6-11e8-92cd-5254003790ea_0
ubuntu@worker0:~$ sudo docker exec -it 7c7b6e459522 sh
/ #

this is my deployment

---                                                                                                                                                                                                                 
apiVersion: extensions/v1beta1                                                                                                                                                                                      
kind: Deployment                                                                                                                                                                                                    
metadata:                                                                                                                                                                                                           
  name: php-apache                                                                                                                                                                                                  
  labels:                                                                                                                                                                                                           
    name: php-apache                                                                                                                                                                                                
spec:                                                                                                                                                                                                               
  replicas: 1                                                                                                                                                                                                       
  template:                                                                                                                                                                                                         
    metadata:                                                                                                                                                                                                       
      labels:                                                                                                                                                                                                       
        app: php                                                                                                                                                                                                    
    spec:                                                                                                                                                                                                           
      containers:                                                                                                                                                                                                   
      - name: php-apache                                                                                                                                                                                            
        image: php-modified/1.0                                                                                                                                                                                     
        imagePullPolicy: IfNotPresent                                                                                                                                                                               
        ports:                                                                                                                                                                                                      
        - containerPort: 80                                                                                                                                                                                         
        resources:                                                                                                                                                                                                  
          requests:                                                                                                                                                                                                 
            cpu: 200m                                                                                                                                                                                               
                                                                                                                                                                                                                    
---                                                                                                                                                                                                                 
kind: Service                                                                                                                                                                                                       
apiVersion: v1                                                                                                                                                                                                      
metadata:                                                                                                                                                                                                           
  name: php-apache                                                                                                                                                                                                  
spec:                                                                                                                                                                                                               
  ports:                                                                                                                                                                                                            
  - port: 80                                                                                                                                                                                                        
    protocol: TCP                                                                                                                                                                                                   
  selector:                                                                                                                                                                                                         
    app: php

and this is my HPA

apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
  name: php-apache
  namespace: default
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: php-apache
  minReplicas: 1
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      targetAverageUtilization: 50

i have trying this #40 to allaow system:anonymous, but still cant access the metrics-server via ClusterIP

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: view-metrics
rules:
- apiGroups:
    - metrics.k8s.io
  resources:
    - pods
    - nodes
  verbs:
    - get
    - list
    - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: view-metrics
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view-metrics
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: system:anonymous
zufardhiyaulhaq

zufardhiyaulhaq commented on Jul 7, 2018

@zufardhiyaulhaq
zufardhiyaulhaq
on Jul 7, 2018
Author

this is my kube-apiserver manifest (default created by kubeadm)

apiVersion: v1
kind: Pod
metadata:
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ""
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --authorization-mode=Node,RBAC
    - --advertise-address=10.200.200.100
    - --allow-privileged=true
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --disable-admission-plugins=PersistentVolumeLabel
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --insecure-port=0
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --secure-port=6443
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    image: k8s.gcr.io/kube-apiserver-amd64:v1.11.0
zufardhiyaulhaq

zufardhiyaulhaq commented on Jul 7, 2018

@zufardhiyaulhaq
zufardhiyaulhaq
on Jul 7, 2018
Author

fix with #77

zufardhiyaulhaq
closed this as completedon Jul 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @zufardhiyaulhaq

        Issue actions
          Error : forbidden: User \"system:anonymous\" cannot get path \"/\". · Issue #81 · kubernetes-sigs/metrics-server