Skip to content

Error : forbidden: User \"system:anonymous\" cannot get path \"/\". #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
zufardhiyaulhaq opened this issue Jul 7, 2018 · 3 comments
Closed

Error : forbidden: User \"system:anonymous\" cannot get path \"/\". #81

zufardhiyaulhaq opened this issue Jul 7, 2018 · 3 comments

Comments

@zufardhiyaulhaq
Copy link

zufardhiyaulhaq commented Jul 7, 2018
edited
Loading

Hi, im trying to run auto-scaling in kubernetes with metrics-server. but the target give error 

ubuntu@master:~/auto-scaling$ kubectl get hpa
NAME         REFERENCE               TARGETS         MINPODS   MAXPODS   REPLICAS   AGE
php-apache   Deployment/php-apache   <unknown>/50%   1         10        0          10s

and when im trying to get the metrics-server with

> ubuntu@master:~/auto-scaling$ kubectl get svc --all-namespaces
> NAMESPACE     NAME             TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE
> default       kubernetes       ClusterIP   10.96.0.1        <none>        443/TCP         1d
> default       php-apache       ClusterIP   10.101.201.103   <none>        80/TCP          1m
> kube-system   kube-dns         ClusterIP   10.96.0.10       <none>        53/UDP,53/TCP   1d
> kube-system   metrics-server   ClusterIP   10.110.186.18    <none>        443/TCP         1d
> ubuntu@master:~/auto-scaling$ curl https://10.110.186.18 -k
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "forbidden: User \"system:anonymous\" cannot get path \"/\".",
>   "reason": "Forbidden",
>   "details": {},
>   "code": 403
> }
> ubuntu@master:~/auto-scaling$

i cant access the metrics-server. im deploying fresh kubernetes with kubeadm.

ubuntu@master:~/auto-scaling$ kubectl describe pod metrics-server-86bd9d7667-ghl8h -n kube-system
Name:           metrics-server-86bd9d7667-ghl8h
Namespace:      kube-system
Node:           worker0/10.200.200.20
Start Time:     Fri, 06 Jul 2018 04:48:37 +0200
Labels:         k8s-app=metrics-server
                pod-template-hash=4268583223
Annotations:    <none>
Status:         Running
IP:             10.244.1.30
Controlled By:  ReplicaSet/metrics-server-86bd9d7667
Containers:
  metrics-server:
    Container ID:  docker://7c7b6e4595225c479ae21d1075630402329c722eff93ad3534effe6bbaffea56
    Image:         gcr.io/google_containers/metrics-server-amd64:v0.2.1
    Image ID:      docker-pullable://gcr.io/google_containers/metrics-server-amd64@sha256:49a9f12f7067d11f42c803dbe61ed2c1299959ad85cb315b25ff7eef8e6b8892
    Port:          <none>
    Host Port:     <none>
    Command:
      /metrics-server
      --source=kubernetes.summary_api:''
    State:          Running
      Started:      Fri, 06 Jul 2018 04:48:49 +0200
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from metrics-server-token-8rgcx (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             True 
  ContainersReady   True 
  PodScheduled      True 
Volumes:
  metrics-server-token-8rgcx:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  metrics-server-token-8rgcx
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:          <none>
ubuntu@master:~/auto-scaling$ kubectl get node
NAME      STATUS    ROLES     AGE       VERSION                                                                                                                                                                     
master    Ready     master    1d        v1.11.0                                                                                                                                                                     
worker0   Ready     <none>    1d        v1.11.0                                                                                                                                                                     
ubuntu@master:~/auto-scaling$
@zufardhiyaulhaq
Copy link
Author

zufardhiyaulhaq commented Jul 7, 2018
edited
Loading

im successfully deploy the metrics-server

ubuntu@worker0:~$ sudo docker container ls
CONTAINER ID        IMAGE                                                                                                                   COMMAND                  CREATED             STATUS              PORTS               NAMES
e719b2594693        4f4978a87f1e                                                                                                            "docker-php-entryp..."   11 minutes ago      Up 11 minutes                           k8s_php-apache_php-apache-7fc544fdd7-bcj69_default_bc9c1da1-81ba-11e8-b71f-5254003790ea_0
fbc19c3b183d        k8s.gcr.io/pause:3.1                                                                                                    "/pause"                 11 minutes ago      Up 11 minutes                           k8s_POD_php-apache-7fc544fdd7-bcj69_default_bc9c1da1-81ba-11e8-b71f-5254003790ea_0
7c7b6e459522        gcr.io/google_containers/metrics-server-amd64@sha256:49a9f12f7067d11f42c803dbe61ed2c1299959ad85cb315b25ff7eef8e6b8892   "/metrics-server -..."   29 hours ago        Up 29 hours                             k8s_metrics-server_metrics-server-86bd9d7667-ghl8h_kube-system_153a660a-80c7-11e8-92cd-5254003790ea_0
cb8d4ab0201b        k8s.gcr.io/pause:3.1                                                                                                    "/pause"                 29 hours ago        Up 29 hours                             k8s_POD_metrics-server-86bd9d7667-ghl8h_kube-system_153a660a-80c7-11e8-92cd-5254003790ea_0
08acb4434286        f0fad859c909                                                                                                            "/opt/bin/flanneld..."   29 hours ago        Up 29 hours                             k8s_kube-flannel_kube-flannel-ds-d4shg_kube-system_f40b53f5-80c6-11e8-92cd-5254003790ea_0
ba91d22410c4        1d3d7afd77d1                                                                                                            "/usr/local/bin/ku..."   29 hours ago        Up 29 hours                             k8s_kube-proxy_kube-proxy-pmlz4_kube-system_f40b42a8-80c6-11e8-92cd-5254003790ea_0
21d479fb3101        k8s.gcr.io/pause:3.1                                                                                                    "/pause"                 29 hours ago        Up 29 hours                             k8s_POD_kube-proxy-pmlz4_kube-system_f40b42a8-80c6-11e8-92cd-5254003790ea_0
0932f1058009        k8s.gcr.io/pause:3.1                                                                                                    "/pause"                 29 hours ago        Up 29 hours                             k8s_POD_kube-flannel-ds-d4shg_kube-system_f40b53f5-80c6-11e8-92cd-5254003790ea_0
ubuntu@worker0:~$ sudo docker exec -it 7c7b6e459522 sh
/ #

this is my deployment

---                                                                                                                                                                                                                 
apiVersion: extensions/v1beta1                                                                                                                                                                                      
kind: Deployment                                                                                                                                                                                                    
metadata:                                                                                                                                                                                                           
  name: php-apache                                                                                                                                                                                                  
  labels:                                                                                                                                                                                                           
    name: php-apache                                                                                                                                                                                                
spec:                                                                                                                                                                                                               
  replicas: 1                                                                                                                                                                                                       
  template:                                                                                                                                                                                                         
    metadata:                                                                                                                                                                                                       
      labels:                                                                                                                                                                                                       
        app: php                                                                                                                                                                                                    
    spec:                                                                                                                                                                                                           
      containers:                                                                                                                                                                                                   
      - name: php-apache                                                                                                                                                                                            
        image: php-modified/1.0                                                                                                                                                                                     
        imagePullPolicy: IfNotPresent                                                                                                                                                                               
        ports:                                                                                                                                                                                                      
        - containerPort: 80                                                                                                                                                                                         
        resources:                                                                                                                                                                                                  
          requests:                                                                                                                                                                                                 
            cpu: 200m                                                                                                                                                                                               
                                                                                                                                                                                                                    
---                                                                                                                                                                                                                 
kind: Service                                                                                                                                                                                                       
apiVersion: v1                                                                                                                                                                                                      
metadata:                                                                                                                                                                                                           
  name: php-apache                                                                                                                                                                                                  
spec:                                                                                                                                                                                                               
  ports:                                                                                                                                                                                                            
  - port: 80                                                                                                                                                                                                        
    protocol: TCP                                                                                                                                                                                                   
  selector:                                                                                                                                                                                                         
    app: php

and this is my HPA

apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
  name: php-apache
  namespace: default
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: php-apache
  minReplicas: 1
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      targetAverageUtilization: 50

i have trying this #40 to allaow system:anonymous, but still cant access the metrics-server via ClusterIP

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: view-metrics
rules:
- apiGroups:
    - metrics.k8s.io
  resources:
    - pods
    - nodes
  verbs:
    - get
    - list
    - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: view-metrics
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view-metrics
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: system:anonymous

@zufardhiyaulhaq
Copy link
Author

this is my kube-apiserver manifest (default created by kubeadm)

apiVersion: v1
kind: Pod
metadata:
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ""
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --authorization-mode=Node,RBAC
    - --advertise-address=10.200.200.100
    - --allow-privileged=true
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --disable-admission-plugins=PersistentVolumeLabel
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --insecure-port=0
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --secure-port=6443
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    image: k8s.gcr.io/kube-apiserver-amd64:v1.11.0

@zufardhiyaulhaq
Copy link
Author

fix with #77

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zufardhiyaulhaq