-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chectl: Failed to connect to Kubernetes API. Unauthorized #15331
Comments
@rjbaucells |
What is |
I mean, at first you might need to login to your k8s cluster. |
Same here. kubectl works fine, chectl fails (unauthorized). tried with following versions:
while digging a little deeper, this might be caused by the checkKubeApi-Function I was using a rancher created k8s cluster.
The endpoint seems to be fine, but getDefaultAccountServiceToken() is returning the default kubernetes service account. I guess in my case that might be caused by ranchers authentication handling.
In order to get it running I changed the token to the one in my kubecfg file and everything deploys fine. Would it be an option to use the token given by the kubeconfig file as an alternative, if service account authentication fails (401)? |
@nils-mosbach how did you manage to change it to your own token? I've searched the code for getDefaultAccountServiceToken, but couldn't find anything. |
In die current chectl master branch its in /src/api/kube.ts on line 1071. For testing purposes I hard coded my token instead of the function call. async checkKubeApi() {
const currentCluster = this.kc.getCurrentCluster()
if (!currentCluster) {
throw new Error('Failed to get current Kubernetes cluster: returned null')
}
/**
I changed the following line to something like
const token = "MY_SERVICE_ACCOUNT_TOKEN";
**/
const token = await this.getDefaultServiceAccountToken()
const agent = new https.Agent({
rejectUnauthorized: false
})
let endpoint = ''
try {
endpoint = `${currentCluster.server}/healthz`
// ...
}
} Replicating the steps of getDefaultServiceAccountToken() ... > kubectl get serviceaccounts
NAME SECRETS AGE
default 1 59d
> kubectl describe serviceaccounts default
Name: default
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: default-token-q7wz4
Tokens: default-token-q7wz4
Events: <none>
> kubectl describe secret default-token-q7wz4
Name: default-token-q7wz4
Namespace: default
Labels: <none>
Annotations: field.cattle.io/projectId: c-9fvlj:p-d648t
kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: 95e84a44-1af1-43b2-85c8-eb4fd6c0bf93
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1017 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.... While I was writing this, the function > chectl server:start --platform k8s --multiuser --self-signed-cert --domain k8s.local --chenamespace dev
× Verify Kubernetes API
→ Failed to connect to Kubernetes API. E_K8S_API_UNAUTHORIZED - Message: must authenticate
👀 Looking for an already existing Eclipse Che instance
» Error: Failed to connect to Kubernetes API. E_K8S_API_UNAUTHORIZED - Message: must authenticate |
Is there a way to have this utilize the RBAC construct, or at least inherit the token from the kubeconfig file? I'm encountering this issue too |
Hi, |
Do I need to encode the secret with base64? |
Can someone kindly help me? |
me too |
I'm running into the same issue, installing che on Rancher. As far as I understand the main issue is how Rancher proxies the kube-api server. @nils-mosbach pointed to the code of chectl, which queries the token of the default service account in the default namespace. This token is used by chectl to authenticate to the kube-api Server. Unfortunately this API token is only valid for "internal" requests to the API server. Rancher adds additional authentication and authorization mechanisms in front of the Kube API server. Therefore the tokens are validated by rancher (not by the Kube API server of the cluster). Since the service account token is not known by Rancher, the request of chectl is not forwarded to the internal Kube API server. If possible in your environemnt try to directly access the internal Kube API server (e.g. by adding an additional NodePort Service to the Kubernetes API). At least for installing che. |
We've added |
@tolusha Thanks! That solved my issue. |
I am also running into this issue. However, in my case, I am connecting to the k8s cluster using client certificates with a named user instead of the default accounts. I am able to access and work with the cluster using Is there a way I can ensure that chectl uses the correct context to get around this? The customer cluster is using kubernetes 1.15, and this is not an issue, based on my testing on my own 1.15 based cluster. |
I have tried skipping the health check - but it seems other cluster access commands are failing (like checking if the |
I also have the same issue, I use PKS to connect to Kubernetes Cluster. |
@asavin-cl |
Hi, I installed in rancher as flow step:
5.open new cmd window |
Issues go stale after Mark the issue as fresh with If this issue is safe to close now please do so. Moderators: Add |
Issues go stale after Mark the issue as fresh with If this issue is safe to close now please do so. Moderators: Add |
chectl
fails to start server on k8s (coreos tectonic) cluster with authentication enabled.Steps to reproduce
chectl server:start → Failed to connect to Kubernetes API. Unauthorized 👀 Looking for an already existing Che instance › Error: Failed to connect to Kubernetes API. Unauthorized
Runtime
kubectl
configuration file in default location:~/.kube/config
The text was updated successfully, but these errors were encountered: