Lab 6.1. RESTful API Access

eporart

on the step 5: I saw failure status

student@cp:~$ curl https://192.168.100.202:6443/apis --header "Authorization: Bearer $token" -k
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/apis\"",
"reason": "Forbidden",
"details": {},
"code": 403

any idea or comment about this error?

thanks,
Arturo

chrispokorni

Hi @eporart,

The IP address used in the curl command may be the key, however, I'd like to find out a few details about your cluster to be certain:

1. What node/VM/pod is assigned IP 192.168.100.202?
2. What are the IP addresses of the cluster nodes?
3. What IP subnet is used for pods? (found in the calico.yaml and the kueadm-config.yaml files)

Regards,
-Chris

oleksazhel

@eporart I think it's because you simply copy-pasted following command from training material and didn't fix secret name.

export token=$(kubectl describe \
    secret default-token-jdqp7 |grep ˆtoken |cut -f7 -d' ')

You can just check if your token env variable is empty using command echo $token.

By the way I've just found that service account tokens are not automatically ambient in secrets in 1.24+. Thus if you want to have one you have to create it manually.

eporart

thanks for your feeback

with this command work for me

student@cp:~$ kubectl create clusterrolebinding cluster-system-anonymons --clusterrole=cluster-admin --user=system:anonymous

clusterrolebinding.rbac.authorization.k8s.io/cluster-system-anonymons created

student@cp:~$ curl https://k8scp:6443/apis --header "Authorization: Bearer $token" -k
{
"kind": "APIGroupList",
"apiVersion": "v1",
"groups": [
{
"name": "apiregistration.k8s.io",
"versions": [

oleksazhel

@eporart You just provided anonymous user with cluster-admin's role permission and opened a big security hole to your cluster...

eporart

@oleksazhel, sure thanks for your information. let me try your recomendation

pvradu

In the same exercise, in my test deployment using kubeadm init/join, I was missing the bearer token, so I had to create that secret. Instructions here:

https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/

Specifically:

# Create a secret to hold a token for the default service account
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: default-token
  annotations:
    kubernetes.io/service-account.name: default
type: kubernetes.io/service-account-token
EOF

After that, the rest of the exercise worked.