Kubernetes v1.12 Problems with kubectl exec











up vote
0
down vote

favorite












I’ve been learning about Kubernetes using Kelsey Hightower’s excellent kubernetes-the-hard-way-guide.



Using this guide I’ve installed v1.12 on GCE. Everything works perfectly apart from kubectl exec:



$ kubectl exec -it shell-demo – /bin/bash --kubeconfig=/root/certsconfigs/admin.kubeconfig

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)


Note that I have set KUBECONFIG=/root/certsconfigs/admin.kubeconfig.



Apart from exec all other kubectl functions work as expected with this admin.kubeconfig file, so from that I deduce it valid for use with my cluster.



I’m pretty sure I have made a beginners mistake somewhere, but if somebody could advise where I have gone away, I should be most grateful.



TIA



Shaun



I have double checked that no .kube/config file exists anywhere on my master controller:



root@controller-1:/root/deployment/kubernetes# kubectl get pods

NAME READY STATUS

shell-demo 1/1 Running 0 23m


Here is the output with -v8:



root@controller-1:/root/deployment/kubernetes# kubectl -v8 exec -it shell-demo – /bin/bash

I1118 15:18:16.898428 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.899531 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.900611 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.902851 11117 round_trippers.go:383] GET ://127.0.0.1:6443/api/v1/namespaces/default/pods/shell-demo

I1118 15:18:16.902946 11117 round_trippers.go:390] Request Headers:

I1118 15:18:16.903016 11117 round_trippers.go:393] Accept: application/json, /

I1118 15:18:16.903091 11117 round_trippers.go:393] User-Agent: kubectl/v1.12.0 (linux/amd64) kubernetes/0ed3388

I1118 15:18:16.918699 11117 round_trippers.go:408] Response Status: 200 OK in 15 milliseconds

I1118 15:18:16.918833 11117 round_trippers.go:411] Response Headers:

I1118 15:18:16.918905 11117 round_trippers.go:414] Content-Type: application/json

I1118 15:18:16.918974 11117 round_trippers.go:414] Content-Length: 2176

I1118 15:18:16.919053 11117 round_trippers.go:414] Date: Sun, 18 Nov 2018 15:18:16 GMT

I1118 15:18:16.919218 11117 request.go:942] Response Body: {“kind”:“Pod”,“apiVersion”:“v1”,“metadata”:{“name”:“shell-demo”,“namespace”:“default”,“selfLink”:"/api/v1/namespaces/default/pods/shell-demo",“uid”:“99f320f8-eb42-11e8-a053-42010af0000b”,“resourceVersion”:“13213”,“creationTimestamp”:“2018-11-18T14:59:51Z”},“spec”:{“volumes”:[{“name”:“shared-data”,“emptyDir”:{}},{“name”:“default-token-djprb”,“secret”:{“secretName”:“default-token-djprb”,“defaultMode”:420}}],“containers”:[{“name”:“nginx”,“image”:“nginx”,“resources”:{},“volumeMounts”:[{“name”:“shared-data”,“mountPath”:"/usr/share/nginx/html"},{“name”:“default-token-djprb”,“readOnly”:true,“mountPath”:"/var/run/secrets/kubernetes.io/serviceaccount"}],“terminationMessagePath”:"/dev/termination-log",“terminationMessagePolicy”:“File”,“imagePullPolicy”:“Always”}],“restartPolicy”:“Always”,“terminationGracePeriodSeconds”:30,“dnsPolicy”:“ClusterFirst”,“serviceAccountName”:“default”,“serviceAccount”:“default”,“nodeName”:“worker-1”,“securityContext”:{},“schedulerName”:“default-scheduler”,“tolerations”:[{“key”:"node.kubernet [truncated 1152 chars]

I1118 15:18:16.925240 11117 round_trippers.go:383] POST …

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)





kubernetes exec kubectl







share|improve this question









New contributor




user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • Have you tried to add --kubelet-client-certificate and --kubelet-client-key flags to kube-apiserver as @Prafull Ladha mentioned in his answer?
    – mk_sta
    yesterday















up vote
0
down vote

favorite












I’ve been learning about Kubernetes using Kelsey Hightower’s excellent kubernetes-the-hard-way-guide.



Using this guide I’ve installed v1.12 on GCE. Everything works perfectly apart from kubectl exec:



$ kubectl exec -it shell-demo – /bin/bash --kubeconfig=/root/certsconfigs/admin.kubeconfig

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)


Note that I have set KUBECONFIG=/root/certsconfigs/admin.kubeconfig.



Apart from exec all other kubectl functions work as expected with this admin.kubeconfig file, so from that I deduce it valid for use with my cluster.



I’m pretty sure I have made a beginners mistake somewhere, but if somebody could advise where I have gone away, I should be most grateful.



TIA



Shaun



I have double checked that no .kube/config file exists anywhere on my master controller:



root@controller-1:/root/deployment/kubernetes# kubectl get pods

NAME READY STATUS

shell-demo 1/1 Running 0 23m


Here is the output with -v8:



root@controller-1:/root/deployment/kubernetes# kubectl -v8 exec -it shell-demo – /bin/bash

I1118 15:18:16.898428 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.899531 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.900611 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.902851 11117 round_trippers.go:383] GET ://127.0.0.1:6443/api/v1/namespaces/default/pods/shell-demo

I1118 15:18:16.902946 11117 round_trippers.go:390] Request Headers:

I1118 15:18:16.903016 11117 round_trippers.go:393] Accept: application/json, /

I1118 15:18:16.903091 11117 round_trippers.go:393] User-Agent: kubectl/v1.12.0 (linux/amd64) kubernetes/0ed3388

I1118 15:18:16.918699 11117 round_trippers.go:408] Response Status: 200 OK in 15 milliseconds

I1118 15:18:16.918833 11117 round_trippers.go:411] Response Headers:

I1118 15:18:16.918905 11117 round_trippers.go:414] Content-Type: application/json

I1118 15:18:16.918974 11117 round_trippers.go:414] Content-Length: 2176

I1118 15:18:16.919053 11117 round_trippers.go:414] Date: Sun, 18 Nov 2018 15:18:16 GMT

I1118 15:18:16.919218 11117 request.go:942] Response Body: {“kind”:“Pod”,“apiVersion”:“v1”,“metadata”:{“name”:“shell-demo”,“namespace”:“default”,“selfLink”:"/api/v1/namespaces/default/pods/shell-demo",“uid”:“99f320f8-eb42-11e8-a053-42010af0000b”,“resourceVersion”:“13213”,“creationTimestamp”:“2018-11-18T14:59:51Z”},“spec”:{“volumes”:[{“name”:“shared-data”,“emptyDir”:{}},{“name”:“default-token-djprb”,“secret”:{“secretName”:“default-token-djprb”,“defaultMode”:420}}],“containers”:[{“name”:“nginx”,“image”:“nginx”,“resources”:{},“volumeMounts”:[{“name”:“shared-data”,“mountPath”:"/usr/share/nginx/html"},{“name”:“default-token-djprb”,“readOnly”:true,“mountPath”:"/var/run/secrets/kubernetes.io/serviceaccount"}],“terminationMessagePath”:"/dev/termination-log",“terminationMessagePolicy”:“File”,“imagePullPolicy”:“Always”}],“restartPolicy”:“Always”,“terminationGracePeriodSeconds”:30,“dnsPolicy”:“ClusterFirst”,“serviceAccountName”:“default”,“serviceAccount”:“default”,“nodeName”:“worker-1”,“securityContext”:{},“schedulerName”:“default-scheduler”,“tolerations”:[{“key”:"node.kubernet [truncated 1152 chars]

I1118 15:18:16.925240 11117 round_trippers.go:383] POST …

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)





kubernetes exec kubectl







share|improve this question









New contributor




user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • Have you tried to add --kubelet-client-certificate and --kubelet-client-key flags to kube-apiserver as @Prafull Ladha mentioned in his answer?
    – mk_sta
    yesterday













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I’ve been learning about Kubernetes using Kelsey Hightower’s excellent kubernetes-the-hard-way-guide.



Using this guide I’ve installed v1.12 on GCE. Everything works perfectly apart from kubectl exec:



$ kubectl exec -it shell-demo – /bin/bash --kubeconfig=/root/certsconfigs/admin.kubeconfig

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)


Note that I have set KUBECONFIG=/root/certsconfigs/admin.kubeconfig.



Apart from exec all other kubectl functions work as expected with this admin.kubeconfig file, so from that I deduce it valid for use with my cluster.



I’m pretty sure I have made a beginners mistake somewhere, but if somebody could advise where I have gone away, I should be most grateful.



TIA



Shaun



I have double checked that no .kube/config file exists anywhere on my master controller:



root@controller-1:/root/deployment/kubernetes# kubectl get pods

NAME READY STATUS

shell-demo 1/1 Running 0 23m


Here is the output with -v8:



root@controller-1:/root/deployment/kubernetes# kubectl -v8 exec -it shell-demo – /bin/bash

I1118 15:18:16.898428 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.899531 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.900611 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.902851 11117 round_trippers.go:383] GET ://127.0.0.1:6443/api/v1/namespaces/default/pods/shell-demo

I1118 15:18:16.902946 11117 round_trippers.go:390] Request Headers:

I1118 15:18:16.903016 11117 round_trippers.go:393] Accept: application/json, /

I1118 15:18:16.903091 11117 round_trippers.go:393] User-Agent: kubectl/v1.12.0 (linux/amd64) kubernetes/0ed3388

I1118 15:18:16.918699 11117 round_trippers.go:408] Response Status: 200 OK in 15 milliseconds

I1118 15:18:16.918833 11117 round_trippers.go:411] Response Headers:

I1118 15:18:16.918905 11117 round_trippers.go:414] Content-Type: application/json

I1118 15:18:16.918974 11117 round_trippers.go:414] Content-Length: 2176

I1118 15:18:16.919053 11117 round_trippers.go:414] Date: Sun, 18 Nov 2018 15:18:16 GMT

I1118 15:18:16.919218 11117 request.go:942] Response Body: {“kind”:“Pod”,“apiVersion”:“v1”,“metadata”:{“name”:“shell-demo”,“namespace”:“default”,“selfLink”:"/api/v1/namespaces/default/pods/shell-demo",“uid”:“99f320f8-eb42-11e8-a053-42010af0000b”,“resourceVersion”:“13213”,“creationTimestamp”:“2018-11-18T14:59:51Z”},“spec”:{“volumes”:[{“name”:“shared-data”,“emptyDir”:{}},{“name”:“default-token-djprb”,“secret”:{“secretName”:“default-token-djprb”,“defaultMode”:420}}],“containers”:[{“name”:“nginx”,“image”:“nginx”,“resources”:{},“volumeMounts”:[{“name”:“shared-data”,“mountPath”:"/usr/share/nginx/html"},{“name”:“default-token-djprb”,“readOnly”:true,“mountPath”:"/var/run/secrets/kubernetes.io/serviceaccount"}],“terminationMessagePath”:"/dev/termination-log",“terminationMessagePolicy”:“File”,“imagePullPolicy”:“Always”}],“restartPolicy”:“Always”,“terminationGracePeriodSeconds”:30,“dnsPolicy”:“ClusterFirst”,“serviceAccountName”:“default”,“serviceAccount”:“default”,“nodeName”:“worker-1”,“securityContext”:{},“schedulerName”:“default-scheduler”,“tolerations”:[{“key”:"node.kubernet [truncated 1152 chars]

I1118 15:18:16.925240 11117 round_trippers.go:383] POST …

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)





kubernetes exec kubectl







share|improve this question









New contributor




user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I’ve been learning about Kubernetes using Kelsey Hightower’s excellent kubernetes-the-hard-way-guide.



Using this guide I’ve installed v1.12 on GCE. Everything works perfectly apart from kubectl exec:



$ kubectl exec -it shell-demo – /bin/bash --kubeconfig=/root/certsconfigs/admin.kubeconfig

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)


Note that I have set KUBECONFIG=/root/certsconfigs/admin.kubeconfig.



Apart from exec all other kubectl functions work as expected with this admin.kubeconfig file, so from that I deduce it valid for use with my cluster.



I’m pretty sure I have made a beginners mistake somewhere, but if somebody could advise where I have gone away, I should be most grateful.



TIA



Shaun



I have double checked that no .kube/config file exists anywhere on my master controller:



root@controller-1:/root/deployment/kubernetes# kubectl get pods

NAME READY STATUS

shell-demo 1/1 Running 0 23m


Here is the output with -v8:



root@controller-1:/root/deployment/kubernetes# kubectl -v8 exec -it shell-demo – /bin/bash

I1118 15:18:16.898428 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.899531 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.900611 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.902851 11117 round_trippers.go:383] GET ://127.0.0.1:6443/api/v1/namespaces/default/pods/shell-demo

I1118 15:18:16.902946 11117 round_trippers.go:390] Request Headers:

I1118 15:18:16.903016 11117 round_trippers.go:393] Accept: application/json, /

I1118 15:18:16.903091 11117 round_trippers.go:393] User-Agent: kubectl/v1.12.0 (linux/amd64) kubernetes/0ed3388

I1118 15:18:16.918699 11117 round_trippers.go:408] Response Status: 200 OK in 15 milliseconds

I1118 15:18:16.918833 11117 round_trippers.go:411] Response Headers:

I1118 15:18:16.918905 11117 round_trippers.go:414] Content-Type: application/json

I1118 15:18:16.918974 11117 round_trippers.go:414] Content-Length: 2176

I1118 15:18:16.919053 11117 round_trippers.go:414] Date: Sun, 18 Nov 2018 15:18:16 GMT

I1118 15:18:16.919218 11117 request.go:942] Response Body: {“kind”:“Pod”,“apiVersion”:“v1”,“metadata”:{“name”:“shell-demo”,“namespace”:“default”,“selfLink”:"/api/v1/namespaces/default/pods/shell-demo",“uid”:“99f320f8-eb42-11e8-a053-42010af0000b”,“resourceVersion”:“13213”,“creationTimestamp”:“2018-11-18T14:59:51Z”},“spec”:{“volumes”:[{“name”:“shared-data”,“emptyDir”:{}},{“name”:“default-token-djprb”,“secret”:{“secretName”:“default-token-djprb”,“defaultMode”:420}}],“containers”:[{“name”:“nginx”,“image”:“nginx”,“resources”:{},“volumeMounts”:[{“name”:“shared-data”,“mountPath”:"/usr/share/nginx/html"},{“name”:“default-token-djprb”,“readOnly”:true,“mountPath”:"/var/run/secrets/kubernetes.io/serviceaccount"}],“terminationMessagePath”:"/dev/termination-log",“terminationMessagePolicy”:“File”,“imagePullPolicy”:“Always”}],“restartPolicy”:“Always”,“terminationGracePeriodSeconds”:30,“dnsPolicy”:“ClusterFirst”,“serviceAccountName”:“default”,“serviceAccount”:“default”,“nodeName”:“worker-1”,“securityContext”:{},“schedulerName”:“default-scheduler”,“tolerations”:[{“key”:"node.kubernet [truncated 1152 chars]

I1118 15:18:16.925240 11117 round_trippers.go:383] POST …

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)





kubernetes exec kubectl




kubernetes exec kubectl






share|improve this question









New contributor




user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited yesterday









Rico

23.9k94864




23.9k94864






New contributor




user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









user3115872

1




1




New contributor




user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • Have you tried to add --kubelet-client-certificate and --kubelet-client-key flags to kube-apiserver as @Prafull Ladha mentioned in his answer?
    – mk_sta
    yesterday


















  • Have you tried to add --kubelet-client-certificate and --kubelet-client-key flags to kube-apiserver as @Prafull Ladha mentioned in his answer?
    – mk_sta
    yesterday
















Have you tried to add --kubelet-client-certificate and --kubelet-client-key flags to kube-apiserver as @Prafull Ladha mentioned in his answer?
– mk_sta
yesterday




Have you tried to add --kubelet-client-certificate and --kubelet-client-key flags to kube-apiserver as @Prafull Ladha mentioned in his answer?
– mk_sta
yesterday












1 Answer
1






active

oldest

votes

















up vote
0
down vote













According to your logs,the connection between kubectl and the apiserver is fine, and is being authenticated correctly.



To satisfy an exec request, the apiserver contacts the kubelet running the pod, and that connection is what is being forbidden.



Your kubelet is configured to authenticate/authorize requests, and the apiserver credential is not authorized to make the exec request against the kubelet's API.



Based on the forbidden message, your apiserver is authenticating as the "kubernetes" user to the kubelet.



You can grant that user full permissions to the kubelet API with the following command:



kubectl create clusterrolebinding apiserver-kubelet-admin --user=kubernetes --clusterrole=system:kubelet-api-admin



See the following docs for more information




https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#overview



https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles







share|improve this answer























  • Thanks so much, works fine now.....
    – user3115872
    19 hours ago











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






user3115872 is a new contributor. Be nice, and check out our Code of Conduct.










 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53372635%2fkubernetes-v1-12-problems-with-kubectl-exec%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
0
down vote













According to your logs,the connection between kubectl and the apiserver is fine, and is being authenticated correctly.



To satisfy an exec request, the apiserver contacts the kubelet running the pod, and that connection is what is being forbidden.



Your kubelet is configured to authenticate/authorize requests, and the apiserver credential is not authorized to make the exec request against the kubelet's API.



Based on the forbidden message, your apiserver is authenticating as the "kubernetes" user to the kubelet.



You can grant that user full permissions to the kubelet API with the following command:



kubectl create clusterrolebinding apiserver-kubelet-admin --user=kubernetes --clusterrole=system:kubelet-api-admin



See the following docs for more information




https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#overview



https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles







share|improve this answer























  • Thanks so much, works fine now.....
    – user3115872
    19 hours ago















up vote
0
down vote













According to your logs,the connection between kubectl and the apiserver is fine, and is being authenticated correctly.



To satisfy an exec request, the apiserver contacts the kubelet running the pod, and that connection is what is being forbidden.



Your kubelet is configured to authenticate/authorize requests, and the apiserver credential is not authorized to make the exec request against the kubelet's API.



Based on the forbidden message, your apiserver is authenticating as the "kubernetes" user to the kubelet.



You can grant that user full permissions to the kubelet API with the following command:



kubectl create clusterrolebinding apiserver-kubelet-admin --user=kubernetes --clusterrole=system:kubelet-api-admin



See the following docs for more information




https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#overview



https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles







share|improve this answer























  • Thanks so much, works fine now.....
    – user3115872
    19 hours ago













up vote
0
down vote










up vote
0
down vote









According to your logs,the connection between kubectl and the apiserver is fine, and is being authenticated correctly.



To satisfy an exec request, the apiserver contacts the kubelet running the pod, and that connection is what is being forbidden.



Your kubelet is configured to authenticate/authorize requests, and the apiserver credential is not authorized to make the exec request against the kubelet's API.



Based on the forbidden message, your apiserver is authenticating as the "kubernetes" user to the kubelet.



You can grant that user full permissions to the kubelet API with the following command:



kubectl create clusterrolebinding apiserver-kubelet-admin --user=kubernetes --clusterrole=system:kubelet-api-admin



See the following docs for more information




https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#overview



https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles







share|improve this answer














According to your logs,the connection between kubectl and the apiserver is fine, and is being authenticated correctly.



To satisfy an exec request, the apiserver contacts the kubelet running the pod, and that connection is what is being forbidden.



Your kubelet is configured to authenticate/authorize requests, and the apiserver credential is not authorized to make the exec request against the kubelet's API.



Based on the forbidden message, your apiserver is authenticating as the "kubernetes" user to the kubelet.



You can grant that user full permissions to the kubelet API with the following command:



kubectl create clusterrolebinding apiserver-kubelet-admin --user=kubernetes --clusterrole=system:kubelet-api-admin



See the following docs for more information




https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#overview



https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles








share|improve this answer














share|improve this answer



share|improve this answer








edited yesterday









Jordan Liggitt

6,5862421




6,5862421










answered yesterday









Prafull Ladha

739210




739210












  • Thanks so much, works fine now.....
    – user3115872
    19 hours ago


















  • Thanks so much, works fine now.....
    – user3115872
    19 hours ago
















Thanks so much, works fine now.....
– user3115872
19 hours ago




Thanks so much, works fine now.....
– user3115872
19 hours ago










user3115872 is a new contributor. Be nice, and check out our Code of Conduct.










 

draft saved


draft discarded


















user3115872 is a new contributor. Be nice, and check out our Code of Conduct.













user3115872 is a new contributor. Be nice, and check out our Code of Conduct.












user3115872 is a new contributor. Be nice, and check out our Code of Conduct.















 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53372635%2fkubernetes-v1-12-problems-with-kubectl-exec%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

'app-layout' is not a known element: how to share Component with different Modules

Image
0 My application was working fine until I decided to go with lazy loading: So, my shared component looks like this: import { Component, Renderer2 } from '@angular/core'; export interface FormModel { captcha?: string; } @Component({ selector: 'app-layout', templateUrl: './app-layout.component.html', styleUrls: ['./app-layout.css'] }) export class FullLayoutComponent { } app-layout.component.ts I am using this component in my Another component say school-home.component.html like this: <app-layout> </app-layout> and it was working fine until I created a Module school-home.module.ts like this: import { NgModule } from '@angular/core'; import { CommonModule } from '@angular/common'; import { SchoolhomeRoutingModule
Read more

android studio warns about leanback feature tag usage required on manifest while using Unity exported app?

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 This is a simple project showing cubes on Unity, exported to android project and imported on Android studio. On maifest file it showed following warning: Expecting <uses-feature android:name="android.software.leanback" android:required="false" /> tag I have no information about it. And also on default emptyview android project does not use/mention this feature. I know it is required by TV's and such but why its not added by default? Why is this? And Should I concern about it? android unity3d
Read more

SQL update select statement

Image
0 I'm trying to update an entry in my database (postgresql). I'm having a problem with updating the query: INSERT INTO prices (price, product_id) SELECT product_price, commn_id FROM products_temp as prod WHERE NOT EXISTS (SELECT * FROM prices od WHERE prod.commn_id = od.product_id) OR prod.product_price != ( SELECT price FROM prices as p WHERE p.product_id = prod.commn_id order by p.end desc LIMIT 1 ) Query works fine when i delete: OR prod.product_price != ( SELECT price FROM prices as p WHERE p.product_id = prod.commn_id order by p.end desc LIMIT 1 ) So it seems to me that it's looping through this operation. My question is, how can I fix it? sql postgresql
Read more