Welcome to the Linux Foundation Forum!

Exercise 15.2: DevDan doesn't work

Exercise 15.2: Authentication and Authorization

Summary: I can't work with resources associated with the user DevDan, the context DevDan-context, etc.

Details --

Problem symptoms:

  1. $kubectl config use-context kubernetes-admin@kubernetes
  2. Switched to context "kubernetes-admin@kubernetes"
  3.  
  4. $ kubectl --context=DevDan-context get pods
  5. error: You must be logged in to the server (Unauthorized)
  6.  
  7. $ sudo kubectl --context=DevDan-context get pods
  8. Error in configuration: context was not found for specified context: DevDan-context
  9.  
  10. $ kubectl config use-context DevDan-context
  11. Switched to context "DevDan-context"
  12.  
  13. $ sudo kubectl get pods
  14. The connection to the server localhost:8080 was refused - did you specify the right host or port?

I'm not going to walk through every single step I took - I followed the directions exactly, with the exection of naming the various DevDan auth files "dd.key/.crt/.csr" for brevity.

Here's what I'm working with, with extraneous results removed --

System: Ubuntu 20.04

  • Config details:
  1. $ kubectl version --short
  2. Client Version: v1.24.0
  3. Kustomize Version: v4.5.4
  4. Server Version: v1.24.0
  5.  
  6. $ kubectl config view
  7. apiVersion: v1
  8. clusters:
  9. - cluster:
  10. certificate-authority-data: DATA+OMITTED
  11. server: https://k8scp:6443
  12. name: kubernetes
  13. contexts:
  14. - context:
  15. cluster: kubernetes
  16. namespace: development
  17. user: DevDan
  18. name: DevDan-context
  19. - context:
  20. cluster: kubernetes
  21. namespace: default
  22. user: kubernetes-admin
  23. name: kubernetes-admin@kubernetes
  24. current-context: kubernetes-admin@kubernetes
  25. kind: Config
  26. preferences: {}
  27. users:
  28. - name: DevDan
  29. user:
  30. client-certificate: /home/nathaniel_lapier/dd.crt
  31. client-key: /home/nathaniel_lapier/dd.key
  32. - name: kubernetes-admin
  33. user:
  34. client-certificate-data: REDACTED
  35. client-key-data: REDACTED
  36.  
  37. $ less .kube/config
  38. contexts:
  39. - context:
  40. cluster: kubernetes
  41. namespace: development
  42. user: DevDan
  43. name: DevDan-context
  44. - context:
  45. cluster: kubernetes
  46. namespace: default
  47. user: kubernetes-admin
  48. name: kubernetes-admin@kubernetes
  49. current-context: DevDan-context
  50. kind: Config
  51. preferences: {}
  52. users:
  53. - name: DevDan
  54. user:
  55. client-certificate: /home/nathaniel_lapier/dd.crt
  56. client-key: /home/nathaniel_lapier/dd.key
  57. - name: kubernetes-admin
  58. user:
  59. client-certificate-data: [...]
  60. client-key-data: [...]
  61.  
  62. $ sudo less /etc/kubernetes/kubelet.conf
  63. apiVersion: v1
  64. clusters:
  65. - cluster:
  66. certificate-authority-data: [...]
  67. server: https://k8scp:6443
  68. name: kubernetes
  69. contexts:
  70. - context:
  71. cluster: kubernetes
  72. user: system:node:k8stest-raw-1
  73. name: system:node:k8stest-raw-1@kubernetes
  74. current-context: system:node:k8stest-raw-1@kubernetes
  75. kind: Config
  76. preferences: {}
  77. users:
  78. - name: system:node:k8stest-raw-1
  79. user:
  80. client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
  81. client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
  • Remaining exercise-specific settings:
  1. $ kubectl get namespaces
  2. NAME STATUS AGE
  3. default Active 14d
  4. development Active 17h
  5. [...]
  6. production Active 17h
  7. small Active 4d21h
  8.  
  9. $ sudo less /etc/passwd
  10. root:x:0:0:root:/root:/bin/bash
  11. daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  12. [...]
  13. DevDan:x:1001:1002::/home/DevDan:/bin/bash
  14.  
  15. nathaniel_lapier@k8stest-raw-1:~$ ls -a
  16. dd.crt dd.csr dd.key .rnd LFS258
  17.  
  18. $ kubectl get roles -A
  19. NAMESPACE NAME
  20. default kdash-kubernetes-dashboard
  21. default myingress-ingress-nginx
  22. development developer
  23. kube-public kubeadm:bootstrap-signer-clusterinfo
  24. [...]
  25.  
  26. $ kubectl get rolebindings -A
  27. NAMESPACE NAME ROLE
  28. default myingress-ingress-nginx Role/myingress-ingress-nginx
  29. development developer-role-binding Role/developer
  30. [...]

Is any part of my confuration not what should be expected? I've walked through a slew of Googled tips around users, contexts, permissions etc. This post shows the results of my second attempt at this exercise - after hitting this dead end on my first attempt, I deleted everything from the exercise and started over, with no effect.

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Answers

  • Posts: 33
    edited November 2022

    kubectl --context=DevDan-context get pods is correct and should be able to work.

    You do not want sudo when using kubectl.
    It will look for kubeconfig in /root/.kube/config which does probably not exist.

    2 things I would try:

    1. kubectl --context=DevDan-context get pods -v=10 Anything to learn from the verbose output?
    2. Try embedding the client cert and key in the kubeconfig using --embed-certs: kubectl config set-credentials DevDan --client-key dd.key --client-certificate dd.crt --embed-certs
  • Posts: 8

    @pnts said:
    kubectl --context=DevDan-context get pods is correct and should be able to work.

    You do not want sudo when using kubectl.
    It will look for kubeconfig in /root/.kube/config which does probably not exist.

    2 things I would try:

    1. kubectl --context=DevDan-context get pods -v=10 Anything to learn from the verbose output?
    2. Try embedding the client cert and key in the kubeconfig using --embed-certs: kubectl config set-credentials DevDan --client-key dd.key --client-certificate dd.crt --embed-certs
    1. $ kubectl config set-credentials DevDan --client-key dd.key --client-certificate dd.crt --embed-certs
    2. User "DevDan" set.
    3.  
    4. $ kubectl --context=DevDan-context get pods -v=10
    5. I1110 23:14:07.097741 2828059 loader.go:372] Config loaded from file: /home/nathaniel_lapier/.kube/config
    6. [tons of kube/cache jsons...]
    7. curl -v -XGET -H "Accept: application/json;as=Table;v=v1;g=meta.k8s.io,application/json;as=Table;v=v1beta1;g=meta.k8s.io,application/json" -H "User-Agent: kubectl/v1.24.0 (linux/amd64) kubernetes/4ce5a89" 'https://k8scp:6443/api/v1/namespaces/development/pods?limit=500'
    8. HTTP Trace: DNS Lookup for k8scp resolved to [{10.2.0.4 }]
    9. HTTP Trace: Dial to tcp:10.2.0.4:6443 succeed
    10. GET https://k8scp:6443/api/v1/namespaces/development/pods?limit=500 401 Unauthorized in 13 milliseconds
    11. HTTP Statistics: DNSLookup 0 ms Dial 0 ms TLSHandshake 9 ms ServerProcessing 2 ms Duration 13 ms
    12. Response Headers:
    13. Content-Type: application/json
    14. Content-Length: 129
    15. Date: Thu, 10 Nov 2022 23:12:00 GMT
    16. Audit-Id: 95f6a005-64bf-4b97-a21b-415618577460
    17. Cache-Control: no-cache, private
    18. Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
    19. I1110 23:12:00.710028 2826896 helpers.go:222] server response object: [{
    20. "kind": "Status",
    21. "apiVersion": "v1",
    22. "metadata": {},
    23. "status": "Failure",
    24. "message": "Unauthorized",
    25. "reason": "Unauthorized",
    26. "code": 401
    27. }]
    28. error: You must be logged in to the server (Unauthorized)

    Lots of output, but in the end it's just a 401, even with the certs.

  • Posts: 8

    Hah - I'll eat some crow and hopefully help the next person who gets stuck:

    1. openssl req -new -key DevDan.key \
    2. -out dd.csr -subj "/CN=DevDan/O=development" #make sure this -subj argument exactly matches your user and namespace

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training