Kubernetes RBAC cannot update connection: Forbidden (user = system: anonymous, verb = create, resource = nodes, subresource = proxy)

Question

Kubernetes RBAC cannot update connection: Forbidden (user = system: anonymous, verb = create, resource = nodes, subresource = proxy)

I am running Kubernetes 1.6.2 with RBAC enabled. I created a user kube-adminthat has the following cluster role binding

kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: k8s-admin subjects: - kind: User name: kube-admin apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io

When I try to execute kubectl execin a running package, I get the following error.

kubectl -n kube-system exec -it kubernetes-dashboard-2396447444-1t9jk -- /bin/bash error: unable to upgrade connection: Forbidden (user=system:anonymous, verb=create, resource=nodes, subresource=proxy)

I guess I am missing ClusterRoleBindingref, what role am I missing?

+4

kubernetes kubectl

Curtis allen Jun 01 '17 at 16:26

source share

1 answer

Jordan Liggitt · Accepted Answer · 2017-06-01T17:44:06+0000

The connection between kubectl and api is fine and resolved correctly.

To satisfy the exec request, apirusver communicates with the cube running the module, and this connection is what is prohibited.

kubelet / , apirusver , kubelet.

, apiruser , - , --kubelet-client-certificate=... --kubelet-client-key=..., API.

. https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#overview.

Kubernetes RBAC cannot update connection: Forbidden (user = system: anonymous, verb = create, resource = nodes, subresource = proxy)

More articles: