Welcome to the Linux Foundation Forum!

Lab 6.1. RESTful API Access

Posts: 26
in LFS258 Class Forum

on the step 5: I saw failure status

student@cp:~$ curl https://192.168.100.202:6443/apis --header "Authorization: Bearer $token" -k
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/apis\"",
"reason": "Forbidden",
"details": {},
"code": 403

any idea or comment about this error?

thanks,
Arturo

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Comments

  • Posts: 2,443

    Hi @eporart,

    The IP address used in the curl command may be the key, however, I'd like to find out a few details about your cluster to be certain:

    1. What node/VM/pod is assigned IP 192.168.100.202?
    2. What are the IP addresses of the cluster nodes?
    3. What IP subnet is used for pods? (found in the calico.yaml and the kueadm-config.yaml files)

    Regards,
    -Chris

  • Posts: 57

    @eporart I think it's because you simply copy-pasted following command from training material and didn't fix secret name.

    1. export token=$(kubectl describe \
    2.     secret default-token-jdqp7 |grep ˆtoken |cut -f7 -d' ')

    You can just check if your token env variable is empty using command echo $token.

    By the way I've just found that service account tokens are not automatically ambient in secrets in 1.24+. Thus if you want to have one you have to create it manually.

  • Posts: 26

    thanks for your feeback

    with this command work for me

    student@cp:~$ kubectl create clusterrolebinding cluster-system-anonymons --clusterrole=cluster-admin --user=system:anonymous

    clusterrolebinding.rbac.authorization.k8s.io/cluster-system-anonymons created

    student@cp:~$ curl https://k8scp:6443/apis --header "Authorization: Bearer $token" -k
    {
    "kind": "APIGroupList",
    "apiVersion": "v1",
    "groups": [
    {
    "name": "apiregistration.k8s.io",
    "versions": [

  • Posts: 57
    edited June 2022

    @eporart You just provided anonymous user with cluster-admin's role permission and opened a big security hole to your cluster...

  • Posts: 26

    @oleksazhel, sure thanks for your information. let me try your recomendation

  • Posts: 1

    In the same exercise, in my test deployment using kubeadm init/join, I was missing the bearer token, so I had to create that secret. Instructions here:

    https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/

    Specifically:

    1. # Create a secret to hold a token for the default service account
    2. kubectl apply -f - <<EOF
    3. apiVersion: v1
    4. kind: Secret
    5. metadata:
    6.   name: default-token
    7.   annotations:
    8.     kubernetes.io/service-account.name: default
    9. type: kubernetes.io/service-account-token
    10. EOF

    After that, the rest of the exercise worked.

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Quick Links

Categories

Upcoming Training