Exercise 15.2: DevDan doesn't work
Exercise 15.2: Authentication and Authorization
Summary: I can't work with resources associated with the user DevDan, the context DevDan-context, etc.
Details --
Problem symptoms:
- $kubectl config use-context kubernetes-admin@kubernetes
- Switched to context "kubernetes-admin@kubernetes"
- $ kubectl --context=DevDan-context get pods
- error: You must be logged in to the server (Unauthorized)
- $ sudo kubectl --context=DevDan-context get pods
- Error in configuration: context was not found for specified context: DevDan-context
- $ kubectl config use-context DevDan-context
- Switched to context "DevDan-context"
- $ sudo kubectl get pods
- The connection to the server localhost:8080 was refused - did you specify the right host or port?
I'm not going to walk through every single step I took - I followed the directions exactly, with the exection of naming the various DevDan auth files "dd.key/.crt/.csr" for brevity.
Here's what I'm working with, with extraneous results removed --
System: Ubuntu 20.04
- Config details:
- $ kubectl version --short
- Client Version: v1.24.0
- Kustomize Version: v4.5.4
- Server Version: v1.24.0
- $ kubectl config view
- apiVersion: v1
- clusters:
- - cluster:
- certificate-authority-data: DATA+OMITTED
- server: https://k8scp:6443
- name: kubernetes
- contexts:
- - context:
- cluster: kubernetes
- namespace: development
- user: DevDan
- name: DevDan-context
- - context:
- cluster: kubernetes
- namespace: default
- user: kubernetes-admin
- name: kubernetes-admin@kubernetes
- current-context: kubernetes-admin@kubernetes
- kind: Config
- preferences: {}
- users:
- - name: DevDan
- user:
- client-certificate: /home/nathaniel_lapier/dd.crt
- client-key: /home/nathaniel_lapier/dd.key
- - name: kubernetes-admin
- user:
- client-certificate-data: REDACTED
- client-key-data: REDACTED
- $ less .kube/config
- contexts:
- - context:
- cluster: kubernetes
- namespace: development
- user: DevDan
- name: DevDan-context
- - context:
- cluster: kubernetes
- namespace: default
- user: kubernetes-admin
- name: kubernetes-admin@kubernetes
- current-context: DevDan-context
- kind: Config
- preferences: {}
- users:
- - name: DevDan
- user:
- client-certificate: /home/nathaniel_lapier/dd.crt
- client-key: /home/nathaniel_lapier/dd.key
- - name: kubernetes-admin
- user:
- client-certificate-data: [...]
- client-key-data: [...]
- $ sudo less /etc/kubernetes/kubelet.conf
- apiVersion: v1
- clusters:
- - cluster:
- certificate-authority-data: [...]
- server: https://k8scp:6443
- name: kubernetes
- contexts:
- - context:
- cluster: kubernetes
- user: system:node:k8stest-raw-1
- name: system:node:k8stest-raw-1@kubernetes
- current-context: system:node:k8stest-raw-1@kubernetes
- kind: Config
- preferences: {}
- users:
- - name: system:node:k8stest-raw-1
- user:
- client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
- client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
- Remaining exercise-specific settings:
- $ kubectl get namespaces
- NAME STATUS AGE
- default Active 14d
- development Active 17h
- [...]
- production Active 17h
- small Active 4d21h
- $ sudo less /etc/passwd
- root:x:0:0:root:/root:/bin/bash
- daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
- [...]
- DevDan:x:1001:1002::/home/DevDan:/bin/bash
- nathaniel_lapier@k8stest-raw-1:~$ ls -a
- dd.crt dd.csr dd.key .rnd LFS258
- $ kubectl get roles -A
- NAMESPACE NAME
- default kdash-kubernetes-dashboard
- default myingress-ingress-nginx
- development developer
- kube-public kubeadm:bootstrap-signer-clusterinfo
- [...]
- $ kubectl get rolebindings -A
- NAMESPACE NAME ROLE
- default myingress-ingress-nginx Role/myingress-ingress-nginx
- development developer-role-binding Role/developer
- [...]
Is any part of my confuration not what should be expected? I've walked through a slew of Googled tips around users, contexts, permissions etc. This post shows the results of my second attempt at this exercise - after hitting this dead end on my first attempt, I deleted everything from the exercise and started over, with no effect.
Answers
-
kubectl --context=DevDan-context get pods
is correct and should be able to work.You do not want sudo when using kubectl.
It will look for kubeconfig in /root/.kube/config which does probably not exist.2 things I would try:
kubectl --context=DevDan-context get pods -v=10
Anything to learn from the verbose output?- Try embedding the client cert and key in the kubeconfig using --embed-certs:
kubectl config set-credentials DevDan --client-key dd.key --client-certificate dd.crt --embed-certs
0 -
@pnts said:
kubectl --context=DevDan-context get pods
is correct and should be able to work.You do not want sudo when using kubectl.
It will look for kubeconfig in /root/.kube/config which does probably not exist.2 things I would try:
kubectl --context=DevDan-context get pods -v=10
Anything to learn from the verbose output?- Try embedding the client cert and key in the kubeconfig using --embed-certs:
kubectl config set-credentials DevDan --client-key dd.key --client-certificate dd.crt --embed-certs
- $ kubectl config set-credentials DevDan --client-key dd.key --client-certificate dd.crt --embed-certs
- User "DevDan" set.
- $ kubectl --context=DevDan-context get pods -v=10
- I1110 23:14:07.097741 2828059 loader.go:372] Config loaded from file: /home/nathaniel_lapier/.kube/config
- [tons of kube/cache jsons...]
- curl -v -XGET -H "Accept: application/json;as=Table;v=v1;g=meta.k8s.io,application/json;as=Table;v=v1beta1;g=meta.k8s.io,application/json" -H "User-Agent: kubectl/v1.24.0 (linux/amd64) kubernetes/4ce5a89" 'https://k8scp:6443/api/v1/namespaces/development/pods?limit=500'
- HTTP Trace: DNS Lookup for k8scp resolved to [{10.2.0.4 }]
- HTTP Trace: Dial to tcp:10.2.0.4:6443 succeed
- GET https://k8scp:6443/api/v1/namespaces/development/pods?limit=500 401 Unauthorized in 13 milliseconds
- HTTP Statistics: DNSLookup 0 ms Dial 0 ms TLSHandshake 9 ms ServerProcessing 2 ms Duration 13 ms
- Response Headers:
- Content-Type: application/json
- Content-Length: 129
- Date: Thu, 10 Nov 2022 23:12:00 GMT
- Audit-Id: 95f6a005-64bf-4b97-a21b-415618577460
- Cache-Control: no-cache, private
- Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
- I1110 23:12:00.710028 2826896 helpers.go:222] server response object: [{
- "kind": "Status",
- "apiVersion": "v1",
- "metadata": {},
- "status": "Failure",
- "message": "Unauthorized",
- "reason": "Unauthorized",
- "code": 401
- }]
- error: You must be logged in to the server (Unauthorized)
Lots of output, but in the end it's just a 401, even with the certs.
0 -
Hah - I'll eat some crow and hopefully help the next person who gets stuck:
- openssl req -new -key DevDan.key \
- -out dd.csr -subj "/CN=DevDan/O=development" #make sure this -subj argument exactly matches your user and namespace
0
Categories
- All Categories
- 143 LFX Mentorship
- 143 LFX Mentorship: Linux Kernel
- 817 Linux Foundation IT Professional Programs
- 368 Cloud Engineer IT Professional Program
- 167 Advanced Cloud Engineer IT Professional Program
- 83 DevOps Engineer IT Professional Program
- 132 Cloud Native Developer IT Professional Program
- 122 Express Training Courses
- 122 Express Courses - Discussion Forum
- Microlearning - Discussion Forum
- 6.7K Training Courses
- 40 LFC110 Class Forum - Discontinued
- 73 LFC131 Class Forum
- 39 LFD102 Class Forum
- 237 LFD103 Class Forum
- 22 LFD110 Class Forum
- 44 LFD121 Class Forum
- 1 LFD123 Class Forum
- LFD125 Class Forum
- 17 LFD133 Class Forum
- 9 LFD134 Class Forum
- 17 LFD137 Class Forum
- 70 LFD201 Class Forum
- 3 LFD210 Class Forum
- 2 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 1 LFD233 Class Forum
- 3 LFD237 Class Forum
- 23 LFD254 Class Forum
- 721 LFD259 Class Forum
- 110 LFD272 Class Forum
- 3 LFD272-JP クラス フォーラム
- 10 LFD273 Class Forum
- 251 LFS101 Class Forum
- 2 LFS111 Class Forum
- 3 LFS112 Class Forum
- 3 LFS116 Class Forum
- 3 LFS118 Class Forum
- 1 LFS120 Class Forum
- 3 LFS142 Class Forum
- 3 LFS144 Class Forum
- 3 LFS145 Class Forum
- 1 LFS146 Class Forum
- 16 LFS148 Class Forum
- 8 LFS151 Class Forum
- 1 LFS157 Class Forum
- 70 LFS158 Class Forum
- LFS158-JP クラス フォーラム
- 5 LFS162 Class Forum
- 1 LFS166 Class Forum
- 3 LFS167 Class Forum
- 1 LFS170 Class Forum
- 1 LFS171 Class Forum
- 2 LFS178 Class Forum
- 2 LFS180 Class Forum
- 2 LFS182 Class Forum
- 4 LFS183 Class Forum
- 30 LFS200 Class Forum
- 737 LFS201 Class Forum - Discontinued
- 2 LFS201-JP クラス フォーラム
- 21 LFS203 Class Forum
- 118 LFS207 Class Forum
- 2 LFS207-DE-Klassenforum
- LFS207-JP クラス フォーラム
- 302 LFS211 Class Forum
- 55 LFS216 Class Forum
- 54 LFS241 Class Forum
- 43 LFS242 Class Forum
- 37 LFS243 Class Forum
- 13 LFS244 Class Forum
- 6 LFS245 Class Forum
- LFS246 Class Forum
- LFS248 Class Forum
- 111 LFS250 Class Forum
- 1 LFS250-JP クラス フォーラム
- LFS251 Class Forum
- 145 LFS253 Class Forum
- LFS254 Class Forum
- 2 LFS255 Class Forum
- 13 LFS256 Class Forum
- 1 LFS257 Class Forum
- 1.3K LFS258 Class Forum
- 11 LFS258-JP クラス フォーラム
- 116 LFS260 Class Forum
- 156 LFS261 Class Forum
- 41 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 23 LFS267 Class Forum
- 25 LFS268 Class Forum
- 29 LFS269 Class Forum
- 7 LFS270 Class Forum
- 200 LFS272 Class Forum
- 1 LFS272-JP クラス フォーラム
- 2 LFS147 Class Forum
- LFS274 Class Forum
- 3 LFS281 Class Forum
- 18 LFW111 Class Forum
- 262 LFW211 Class Forum
- 179 LFW212 Class Forum
- 15 SKF100 Class Forum
- SKF200 Class Forum
- 2 SKF201 Class Forum
- 791 Hardware
- 199 Drivers
- 68 I/O Devices
- 37 Monitors
- 98 Multimedia
- 174 Networking
- 91 Printers & Scanners
- 85 Storage
- 754 Linux Distributions
- 82 Debian
- 67 Fedora
- 16 Linux Mint
- 13 Mageia
- 23 openSUSE
- 149 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 351 Ubuntu
- 465 Linux System Administration
- 39 Cloud Computing
- 71 Command Line/Scripting
- Github systems admin projects
- 95 Linux Security
- 78 Network Management
- 101 System Management
- 47 Web Management
- 56 Mobile Computing
- 18 Android
- 28 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 366 Off Topic
- 114 Introductions
- 171 Small Talk
- 26 Study Material
- 534 Programming and Development
- 304 Kernel Development
- 223 Software Development
- 1.8K Software
- 212 Applications
- 182 Command Line
- 3 Compiling/Installing
- 405 Games
- 311 Installation
- 79 All In Program
- 79 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)