Kubernetes v1.12 Problems with kubectl exec











up vote
0
down vote

favorite












I’ve been learning about Kubernetes using Kelsey Hightower’s excellent kubernetes-the-hard-way-guide.



Using this guide I’ve installed v1.12 on GCE. Everything works perfectly apart from kubectl exec:



$ kubectl exec -it shell-demo – /bin/bash --kubeconfig=/root/certsconfigs/admin.kubeconfig

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)


Note that I have set KUBECONFIG=/root/certsconfigs/admin.kubeconfig.



Apart from exec all other kubectl functions work as expected with this admin.kubeconfig file, so from that I deduce it valid for use with my cluster.



I’m pretty sure I have made a beginners mistake somewhere, but if somebody could advise where I have gone away, I should be most grateful.



TIA



Shaun



I have double checked that no .kube/config file exists anywhere on my master controller:



root@controller-1:/root/deployment/kubernetes# kubectl get pods

NAME READY STATUS

shell-demo 1/1 Running 0 23m


Here is the output with -v8:



root@controller-1:/root/deployment/kubernetes# kubectl -v8 exec -it shell-demo – /bin/bash

I1118 15:18:16.898428 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.899531 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.900611 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.902851 11117 round_trippers.go:383] GET ://127.0.0.1:6443/api/v1/namespaces/default/pods/shell-demo

I1118 15:18:16.902946 11117 round_trippers.go:390] Request Headers:

I1118 15:18:16.903016 11117 round_trippers.go:393] Accept: application/json, /

I1118 15:18:16.903091 11117 round_trippers.go:393] User-Agent: kubectl/v1.12.0 (linux/amd64) kubernetes/0ed3388

I1118 15:18:16.918699 11117 round_trippers.go:408] Response Status: 200 OK in 15 milliseconds

I1118 15:18:16.918833 11117 round_trippers.go:411] Response Headers:

I1118 15:18:16.918905 11117 round_trippers.go:414] Content-Type: application/json

I1118 15:18:16.918974 11117 round_trippers.go:414] Content-Length: 2176

I1118 15:18:16.919053 11117 round_trippers.go:414] Date: Sun, 18 Nov 2018 15:18:16 GMT

I1118 15:18:16.919218 11117 request.go:942] Response Body: {“kind”:“Pod”,“apiVersion”:“v1”,“metadata”:{“name”:“shell-demo”,“namespace”:“default”,“selfLink”:"/api/v1/namespaces/default/pods/shell-demo",“uid”:“99f320f8-eb42-11e8-a053-42010af0000b”,“resourceVersion”:“13213”,“creationTimestamp”:“2018-11-18T14:59:51Z”},“spec”:{“volumes”:[{“name”:“shared-data”,“emptyDir”:{}},{“name”:“default-token-djprb”,“secret”:{“secretName”:“default-token-djprb”,“defaultMode”:420}}],“containers”:[{“name”:“nginx”,“image”:“nginx”,“resources”:{},“volumeMounts”:[{“name”:“shared-data”,“mountPath”:"/usr/share/nginx/html"},{“name”:“default-token-djprb”,“readOnly”:true,“mountPath”:"/var/run/secrets/kubernetes.io/serviceaccount"}],“terminationMessagePath”:"/dev/termination-log",“terminationMessagePolicy”:“File”,“imagePullPolicy”:“Always”}],“restartPolicy”:“Always”,“terminationGracePeriodSeconds”:30,“dnsPolicy”:“ClusterFirst”,“serviceAccountName”:“default”,“serviceAccount”:“default”,“nodeName”:“worker-1”,“securityContext”:{},“schedulerName”:“default-scheduler”,“tolerations”:[{“key”:"node.kubernet [truncated 1152 chars]

I1118 15:18:16.925240 11117 round_trippers.go:383] POST …

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)





kubernetes exec kubectl







share|improve this question









New contributor




user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • Have you tried to add --kubelet-client-certificate and --kubelet-client-key flags to kube-apiserver as @Prafull Ladha mentioned in his answer?
    – mk_sta
    yesterday















up vote
0
down vote

favorite












I’ve been learning about Kubernetes using Kelsey Hightower’s excellent kubernetes-the-hard-way-guide.



Using this guide I’ve installed v1.12 on GCE. Everything works perfectly apart from kubectl exec:



$ kubectl exec -it shell-demo – /bin/bash --kubeconfig=/root/certsconfigs/admin.kubeconfig

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)


Note that I have set KUBECONFIG=/root/certsconfigs/admin.kubeconfig.



Apart from exec all other kubectl functions work as expected with this admin.kubeconfig file, so from that I deduce it valid for use with my cluster.



I’m pretty sure I have made a beginners mistake somewhere, but if somebody could advise where I have gone away, I should be most grateful.



TIA



Shaun



I have double checked that no .kube/config file exists anywhere on my master controller:



root@controller-1:/root/deployment/kubernetes# kubectl get pods

NAME READY STATUS

shell-demo 1/1 Running 0 23m


Here is the output with -v8:



root@controller-1:/root/deployment/kubernetes# kubectl -v8 exec -it shell-demo – /bin/bash

I1118 15:18:16.898428 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.899531 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.900611 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.902851 11117 round_trippers.go:383] GET ://127.0.0.1:6443/api/v1/namespaces/default/pods/shell-demo

I1118 15:18:16.902946 11117 round_trippers.go:390] Request Headers:

I1118 15:18:16.903016 11117 round_trippers.go:393] Accept: application/json, /

I1118 15:18:16.903091 11117 round_trippers.go:393] User-Agent: kubectl/v1.12.0 (linux/amd64) kubernetes/0ed3388

I1118 15:18:16.918699 11117 round_trippers.go:408] Response Status: 200 OK in 15 milliseconds

I1118 15:18:16.918833 11117 round_trippers.go:411] Response Headers:

I1118 15:18:16.918905 11117 round_trippers.go:414] Content-Type: application/json

I1118 15:18:16.918974 11117 round_trippers.go:414] Content-Length: 2176

I1118 15:18:16.919053 11117 round_trippers.go:414] Date: Sun, 18 Nov 2018 15:18:16 GMT

I1118 15:18:16.919218 11117 request.go:942] Response Body: {“kind”:“Pod”,“apiVersion”:“v1”,“metadata”:{“name”:“shell-demo”,“namespace”:“default”,“selfLink”:"/api/v1/namespaces/default/pods/shell-demo",“uid”:“99f320f8-eb42-11e8-a053-42010af0000b”,“resourceVersion”:“13213”,“creationTimestamp”:“2018-11-18T14:59:51Z”},“spec”:{“volumes”:[{“name”:“shared-data”,“emptyDir”:{}},{“name”:“default-token-djprb”,“secret”:{“secretName”:“default-token-djprb”,“defaultMode”:420}}],“containers”:[{“name”:“nginx”,“image”:“nginx”,“resources”:{},“volumeMounts”:[{“name”:“shared-data”,“mountPath”:"/usr/share/nginx/html"},{“name”:“default-token-djprb”,“readOnly”:true,“mountPath”:"/var/run/secrets/kubernetes.io/serviceaccount"}],“terminationMessagePath”:"/dev/termination-log",“terminationMessagePolicy”:“File”,“imagePullPolicy”:“Always”}],“restartPolicy”:“Always”,“terminationGracePeriodSeconds”:30,“dnsPolicy”:“ClusterFirst”,“serviceAccountName”:“default”,“serviceAccount”:“default”,“nodeName”:“worker-1”,“securityContext”:{},“schedulerName”:“default-scheduler”,“tolerations”:[{“key”:"node.kubernet [truncated 1152 chars]

I1118 15:18:16.925240 11117 round_trippers.go:383] POST …

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)





kubernetes exec kubectl







share|improve this question









New contributor




user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • Have you tried to add --kubelet-client-certificate and --kubelet-client-key flags to kube-apiserver as @Prafull Ladha mentioned in his answer?
    – mk_sta
    yesterday













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I’ve been learning about Kubernetes using Kelsey Hightower’s excellent kubernetes-the-hard-way-guide.



Using this guide I’ve installed v1.12 on GCE. Everything works perfectly apart from kubectl exec:



$ kubectl exec -it shell-demo – /bin/bash --kubeconfig=/root/certsconfigs/admin.kubeconfig

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)


Note that I have set KUBECONFIG=/root/certsconfigs/admin.kubeconfig.



Apart from exec all other kubectl functions work as expected with this admin.kubeconfig file, so from that I deduce it valid for use with my cluster.



I’m pretty sure I have made a beginners mistake somewhere, but if somebody could advise where I have gone away, I should be most grateful.



TIA



Shaun



I have double checked that no .kube/config file exists anywhere on my master controller:



root@controller-1:/root/deployment/kubernetes# kubectl get pods

NAME READY STATUS

shell-demo 1/1 Running 0 23m


Here is the output with -v8:



root@controller-1:/root/deployment/kubernetes# kubectl -v8 exec -it shell-demo – /bin/bash

I1118 15:18:16.898428 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.899531 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.900611 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.902851 11117 round_trippers.go:383] GET ://127.0.0.1:6443/api/v1/namespaces/default/pods/shell-demo

I1118 15:18:16.902946 11117 round_trippers.go:390] Request Headers:

I1118 15:18:16.903016 11117 round_trippers.go:393] Accept: application/json, /

I1118 15:18:16.903091 11117 round_trippers.go:393] User-Agent: kubectl/v1.12.0 (linux/amd64) kubernetes/0ed3388

I1118 15:18:16.918699 11117 round_trippers.go:408] Response Status: 200 OK in 15 milliseconds

I1118 15:18:16.918833 11117 round_trippers.go:411] Response Headers:

I1118 15:18:16.918905 11117 round_trippers.go:414] Content-Type: application/json

I1118 15:18:16.918974 11117 round_trippers.go:414] Content-Length: 2176

I1118 15:18:16.919053 11117 round_trippers.go:414] Date: Sun, 18 Nov 2018 15:18:16 GMT

I1118 15:18:16.919218 11117 request.go:942] Response Body: {“kind”:“Pod”,“apiVersion”:“v1”,“metadata”:{“name”:“shell-demo”,“namespace”:“default”,“selfLink”:"/api/v1/namespaces/default/pods/shell-demo",“uid”:“99f320f8-eb42-11e8-a053-42010af0000b”,“resourceVersion”:“13213”,“creationTimestamp”:“2018-11-18T14:59:51Z”},“spec”:{“volumes”:[{“name”:“shared-data”,“emptyDir”:{}},{“name”:“default-token-djprb”,“secret”:{“secretName”:“default-token-djprb”,“defaultMode”:420}}],“containers”:[{“name”:“nginx”,“image”:“nginx”,“resources”:{},“volumeMounts”:[{“name”:“shared-data”,“mountPath”:"/usr/share/nginx/html"},{“name”:“default-token-djprb”,“readOnly”:true,“mountPath”:"/var/run/secrets/kubernetes.io/serviceaccount"}],“terminationMessagePath”:"/dev/termination-log",“terminationMessagePolicy”:“File”,“imagePullPolicy”:“Always”}],“restartPolicy”:“Always”,“terminationGracePeriodSeconds”:30,“dnsPolicy”:“ClusterFirst”,“serviceAccountName”:“default”,“serviceAccount”:“default”,“nodeName”:“worker-1”,“securityContext”:{},“schedulerName”:“default-scheduler”,“tolerations”:[{“key”:"node.kubernet [truncated 1152 chars]

I1118 15:18:16.925240 11117 round_trippers.go:383] POST …

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)





kubernetes exec kubectl







share|improve this question









New contributor




user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I’ve been learning about Kubernetes using Kelsey Hightower’s excellent kubernetes-the-hard-way-guide.



Using this guide I’ve installed v1.12 on GCE. Everything works perfectly apart from kubectl exec:



$ kubectl exec -it shell-demo – /bin/bash --kubeconfig=/root/certsconfigs/admin.kubeconfig

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)


Note that I have set KUBECONFIG=/root/certsconfigs/admin.kubeconfig.



Apart from exec all other kubectl functions work as expected with this admin.kubeconfig file, so from that I deduce it valid for use with my cluster.



I’m pretty sure I have made a beginners mistake somewhere, but if somebody could advise where I have gone away, I should be most grateful.



TIA



Shaun



I have double checked that no .kube/config file exists anywhere on my master controller:



root@controller-1:/root/deployment/kubernetes# kubectl get pods

NAME READY STATUS

shell-demo 1/1 Running 0 23m


Here is the output with -v8:



root@controller-1:/root/deployment/kubernetes# kubectl -v8 exec -it shell-demo – /bin/bash

I1118 15:18:16.898428 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.899531 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.900611 11117 loader.go:359] Config loaded from file /root/certsconfigs/admin.kubeconfig

I1118 15:18:16.902851 11117 round_trippers.go:383] GET ://127.0.0.1:6443/api/v1/namespaces/default/pods/shell-demo

I1118 15:18:16.902946 11117 round_trippers.go:390] Request Headers:

I1118 15:18:16.903016 11117 round_trippers.go:393] Accept: application/json, /

I1118 15:18:16.903091 11117 round_trippers.go:393] User-Agent: kubectl/v1.12.0 (linux/amd64) kubernetes/0ed3388

I1118 15:18:16.918699 11117 round_trippers.go:408] Response Status: 200 OK in 15 milliseconds

I1118 15:18:16.918833 11117 round_trippers.go:411] Response Headers:

I1118 15:18:16.918905 11117 round_trippers.go:414] Content-Type: application/json

I1118 15:18:16.918974 11117 round_trippers.go:414] Content-Length: 2176

I1118 15:18:16.919053 11117 round_trippers.go:414] Date: Sun, 18 Nov 2018 15:18:16 GMT

I1118 15:18:16.919218 11117 request.go:942] Response Body: {“kind”:“Pod”,“apiVersion”:“v1”,“metadata”:{“name”:“shell-demo”,“namespace”:“default”,“selfLink”:"/api/v1/namespaces/default/pods/shell-demo",“uid”:“99f320f8-eb42-11e8-a053-42010af0000b”,“resourceVersion”:“13213”,“creationTimestamp”:“2018-11-18T14:59:51Z”},“spec”:{“volumes”:[{“name”:“shared-data”,“emptyDir”:{}},{“name”:“default-token-djprb”,“secret”:{“secretName”:“default-token-djprb”,“defaultMode”:420}}],“containers”:[{“name”:“nginx”,“image”:“nginx”,“resources”:{},“volumeMounts”:[{“name”:“shared-data”,“mountPath”:"/usr/share/nginx/html"},{“name”:“default-token-djprb”,“readOnly”:true,“mountPath”:"/var/run/secrets/kubernetes.io/serviceaccount"}],“terminationMessagePath”:"/dev/termination-log",“terminationMessagePolicy”:“File”,“imagePullPolicy”:“Always”}],“restartPolicy”:“Always”,“terminationGracePeriodSeconds”:30,“dnsPolicy”:“ClusterFirst”,“serviceAccountName”:“default”,“serviceAccount”:“default”,“nodeName”:“worker-1”,“securityContext”:{},“schedulerName”:“default-scheduler”,“tolerations”:[{“key”:"node.kubernet [truncated 1152 chars]

I1118 15:18:16.925240 11117 round_trippers.go:383] POST …

error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)





kubernetes exec kubectl




kubernetes exec kubectl






share|improve this question









New contributor




user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited yesterday









Rico

23.9k94864




23.9k94864






New contributor




user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









user3115872

1




1




New contributor




user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






user3115872 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • Have you tried to add --kubelet-client-certificate and --kubelet-client-key flags to kube-apiserver as @Prafull Ladha mentioned in his answer?
    – mk_sta
    yesterday


















  • Have you tried to add --kubelet-client-certificate and --kubelet-client-key flags to kube-apiserver as @Prafull Ladha mentioned in his answer?
    – mk_sta
    yesterday
















Have you tried to add --kubelet-client-certificate and --kubelet-client-key flags to kube-apiserver as @Prafull Ladha mentioned in his answer?
– mk_sta
yesterday




Have you tried to add --kubelet-client-certificate and --kubelet-client-key flags to kube-apiserver as @Prafull Ladha mentioned in his answer?
– mk_sta
yesterday












1 Answer
1






active

oldest

votes

















up vote
0
down vote













According to your logs,the connection between kubectl and the apiserver is fine, and is being authenticated correctly.



To satisfy an exec request, the apiserver contacts the kubelet running the pod, and that connection is what is being forbidden.



Your kubelet is configured to authenticate/authorize requests, and the apiserver credential is not authorized to make the exec request against the kubelet's API.



Based on the forbidden message, your apiserver is authenticating as the "kubernetes" user to the kubelet.



You can grant that user full permissions to the kubelet API with the following command:



kubectl create clusterrolebinding apiserver-kubelet-admin --user=kubernetes --clusterrole=system:kubelet-api-admin



See the following docs for more information




https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#overview



https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles







share|improve this answer























  • Thanks so much, works fine now.....
    – user3115872
    19 hours ago











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






user3115872 is a new contributor. Be nice, and check out our Code of Conduct.










 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53372635%2fkubernetes-v1-12-problems-with-kubectl-exec%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
0
down vote













According to your logs,the connection between kubectl and the apiserver is fine, and is being authenticated correctly.



To satisfy an exec request, the apiserver contacts the kubelet running the pod, and that connection is what is being forbidden.



Your kubelet is configured to authenticate/authorize requests, and the apiserver credential is not authorized to make the exec request against the kubelet's API.



Based on the forbidden message, your apiserver is authenticating as the "kubernetes" user to the kubelet.



You can grant that user full permissions to the kubelet API with the following command:



kubectl create clusterrolebinding apiserver-kubelet-admin --user=kubernetes --clusterrole=system:kubelet-api-admin



See the following docs for more information




https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#overview



https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles







share|improve this answer























  • Thanks so much, works fine now.....
    – user3115872
    19 hours ago















up vote
0
down vote













According to your logs,the connection between kubectl and the apiserver is fine, and is being authenticated correctly.



To satisfy an exec request, the apiserver contacts the kubelet running the pod, and that connection is what is being forbidden.



Your kubelet is configured to authenticate/authorize requests, and the apiserver credential is not authorized to make the exec request against the kubelet's API.



Based on the forbidden message, your apiserver is authenticating as the "kubernetes" user to the kubelet.



You can grant that user full permissions to the kubelet API with the following command:



kubectl create clusterrolebinding apiserver-kubelet-admin --user=kubernetes --clusterrole=system:kubelet-api-admin



See the following docs for more information




https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#overview



https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles







share|improve this answer























  • Thanks so much, works fine now.....
    – user3115872
    19 hours ago













up vote
0
down vote










up vote
0
down vote









According to your logs,the connection between kubectl and the apiserver is fine, and is being authenticated correctly.



To satisfy an exec request, the apiserver contacts the kubelet running the pod, and that connection is what is being forbidden.



Your kubelet is configured to authenticate/authorize requests, and the apiserver credential is not authorized to make the exec request against the kubelet's API.



Based on the forbidden message, your apiserver is authenticating as the "kubernetes" user to the kubelet.



You can grant that user full permissions to the kubelet API with the following command:



kubectl create clusterrolebinding apiserver-kubelet-admin --user=kubernetes --clusterrole=system:kubelet-api-admin



See the following docs for more information




https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#overview



https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles







share|improve this answer














According to your logs,the connection between kubectl and the apiserver is fine, and is being authenticated correctly.



To satisfy an exec request, the apiserver contacts the kubelet running the pod, and that connection is what is being forbidden.



Your kubelet is configured to authenticate/authorize requests, and the apiserver credential is not authorized to make the exec request against the kubelet's API.



Based on the forbidden message, your apiserver is authenticating as the "kubernetes" user to the kubelet.



You can grant that user full permissions to the kubelet API with the following command:



kubectl create clusterrolebinding apiserver-kubelet-admin --user=kubernetes --clusterrole=system:kubelet-api-admin



See the following docs for more information




https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#overview



https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles








share|improve this answer














share|improve this answer



share|improve this answer








edited yesterday









Jordan Liggitt

6,5862421




6,5862421










answered yesterday









Prafull Ladha

739210




739210












  • Thanks so much, works fine now.....
    – user3115872
    19 hours ago


















  • Thanks so much, works fine now.....
    – user3115872
    19 hours ago
















Thanks so much, works fine now.....
– user3115872
19 hours ago




Thanks so much, works fine now.....
– user3115872
19 hours ago










user3115872 is a new contributor. Be nice, and check out our Code of Conduct.










 

draft saved


draft discarded


















user3115872 is a new contributor. Be nice, and check out our Code of Conduct.













user3115872 is a new contributor. Be nice, and check out our Code of Conduct.












user3115872 is a new contributor. Be nice, and check out our Code of Conduct.















 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53372635%2fkubernetes-v1-12-problems-with-kubectl-exec%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Can a sorcerer learn a 5th-level spell early by creating spell slots using the Font of Magic feature?

Image
28 6 $begingroup$ Per the Font of Magic feature, sorcerer can use Flexible Casting to create 5th-level spell slots at level 7, even though they are not typically available until level 9. You can transform unexpended sorcery points into one spell slot as a bonus action on your turn. The Creating Spell Slots table shows the cost of creating a spell slot of [5th level is 7] If such a sorcerer levels up while still having this 5th-level spell slot, can they choose a 5th-level spell as the spell they gain upon levelling up? The Spellcasting feature states: Additionally, when you gain a level in this class, you can choose one of the sorcerer spells you know and replace it with another spell from the sorcerer spell list, which also must be of a level for which you have spell slots.
Read more

ts Property 'filter' does not exist on type '{}'

Image
1 I'm trying to follow Angular Material guide to create a custom filter for autocomplete input text https://material.angular.io/components/autocomplete/overview This is what I have TS import { Component, OnInit } from '@angular/core'; import { TemplateRef } from '@angular/core'; import { FormControl } from "@angular/forms"; import { Observable } from "rxjs"; import { map, startWith, filter } from 'rxjs/operators'; (...) export class AppComponent implements OnInit { title = 'Your Profile'; displayedColumns: string = ['selected', 'name', 'description', 'pnr']; dataSource = ELEMENT_DATA; myControl = new FormControl(); options: any = ['One', 'Two', 'Three']; filteredOptions:
Read more

mat-slide-toggle shouldn't change it's state when I click cancel in confirmation window

Image
1 When I checked the slide toggle it should work as expected. But when I try to uncheck it there is a confirmation window asking if you are sure. When I click cancel in that confirmation window, still the toggle changes to unchecked, which shouldn't happen. It should stay in the same state. Here is my Html and TS Code // html <mat-slide-toggle (change)="change($event)" [checked]="isChecked()" > To-pay </mat-slide-toggle> TS code: // ts change(e) { if(this.checked) { if(confirm("Are you sure")) { console.log("toggle") } else { e.stopPropagation(); console.log("toggle should not change if I click the cancel button") }
Read more