Welcome to the Linux Foundation Forum!

Lab 6.1. RESTful API Access

on the step 5: I saw failure status

student@cp:~$ curl --header "Authorization: Bearer $token" -k
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/apis\"",
"reason": "Forbidden",
"details": {},
"code": 403

any idea or comment about this error?



  • chrispokorni
    chrispokorni Posts: 2,112

    Hi @eporart,

    The IP address used in the curl command may be the key, however, I'd like to find out a few details about your cluster to be certain:

    1. What node/VM/pod is assigned IP
    2. What are the IP addresses of the cluster nodes?
    3. What IP subnet is used for pods? (found in the calico.yaml and the kueadm-config.yaml files)


  • oleksazhel
    oleksazhel Posts: 57

    @eporart I think it's because you simply copy-pasted following command from training material and didn't fix secret name.

    export token=$(kubectl describe \
        secret default-token-jdqp7 |grep ˆtoken |cut -f7 -d' ')

    You can just check if your token env variable is empty using command echo $token.

    By the way I've just found that service account tokens are not automatically ambient in secrets in 1.24+. Thus if you want to have one you have to create it manually.

  • eporart
    eporart Posts: 26

    thanks for your feeback

    with this command work for me

    student@cp:~$ kubectl create clusterrolebinding cluster-system-anonymons --clusterrole=cluster-admin --user=system:anonymous

    clusterrolebinding.rbac.authorization.k8s.io/cluster-system-anonymons created

    student@cp:~$ curl https://k8scp:6443/apis --header "Authorization: Bearer $token" -k
    "kind": "APIGroupList",
    "apiVersion": "v1",
    "groups": [
    "name": "apiregistration.k8s.io",
    "versions": [

  • oleksazhel
    oleksazhel Posts: 57
    edited June 2022

    @eporart You just provided anonymous user with cluster-admin's role permission and opened a big security hole to your cluster...

  • eporart
    eporart Posts: 26

    @oleksazhel, sure thanks for your information. let me try your recomendation

  • In the same exercise, in my test deployment using kubeadm init/join, I was missing the bearer token, so I had to create that secret. Instructions here:



    # Create a secret to hold a token for the default service account
    kubectl apply -f - <<EOF
    apiVersion: v1
    kind: Secret
      name: default-token
        kubernetes.io/service-account.name: default
    type: kubernetes.io/service-account-token

    After that, the rest of the exercise worked.


Upcoming Training