GET at: https://kubernetes.default.svc/oapi/v1/users/~. Message: Unauthorized! Configured service account doesn't have access

cmoulliard commented 8 years ago

Apiman reports this error within its log when we open the Apiman GUI Manager

17:12:47,423 DEBUG Calling k8s to validate header abd obtain username and role for token C987zhRN5edMNBp7E9Ne7kgQwyU-qYSKn3sKKEnrKX4
17:12:47,495 ERROR Exception determining user's info.
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/oapi/v1/users/~. Message: Unauthorized! Configured service account doesn't have access. Service account may have been revoked..
dabou:~/Fuse/projects/fabric8/fabric8-installer/vagrant/openshift$ more log-apiman.txt | grep -B 10 -A 20 -i "Calling k8s"
17:12:47,419 DEBUG context=/apiman||/currentuser/info @ o.e.j.s.ServletContextHandler@35fc6dc4{/apiman,null,AVAILABLE}
17:12:47,419 DEBUG sessionManager=org.eclipse.jetty.server.session.HashSessionManager@77e4c80f
17:12:47,419 DEBUG session=null
17:12:47,420 DEBUG servlet /apiman||/currentuser/info -> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher-60611244@3934222e==org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher,-1,true
17:12:47,420 DEBUG chain=io.apiman.common.servlet.LocaleFilter-7d68ef40->io.apiman.common.servlet.ApimanCorsFilter-212bf671->io.apiman.common.servlet.DisableCachingFilter-2aece37d->io.fabric8.apiman.rest.BootstrapFilter-17c386de->io.fabric8.apiman.rest.BearerTokenFilter-1d548a08->io.fabric8.apiman.rest.Kubernetes2ApimanFilter-691a7f8f->io.apiman.manager.api.security.impl.DefaultSecurityContextFilter-53ca01a2->io.apiman.common.servlet.RootResourceFilter-48524010->io.apiman.manager.api.micro.ManagerApiMicroServiceTxWatchdogFilter-23282c25->org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher-60611244@3934222e==org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher,-1,true
17:12:47,420 DEBUG call filter io.apiman.common.servlet.LocaleFilter-7d68ef40
17:12:47,422 DEBUG call filter io.apiman.common.servlet.ApimanCorsFilter-212bf671
17:12:47,422 DEBUG call filter io.apiman.common.servlet.DisableCachingFilter-2aece37d
17:12:47,422 DEBUG call filter io.fabric8.apiman.rest.BootstrapFilter-17c386de
17:12:47,422 DEBUG call filter io.fabric8.apiman.rest.BearerTokenFilter-1d548a08
17:12:47,423 DEBUG Calling k8s to validate header abd obtain username and role for token C987zhRN5edMNBp7E9Ne7kgQwyU-qYSKn3sKKEnrKX4
17:12:47,495 ERROR Exception determining user's info.
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/oapi/v1/users/~. Message: Unauthorized! Configured service account doesn't have access. Service account may have been revoked..
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:290)
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:241)
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:212)
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:205)
    at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleGet(BaseOperation.java:510)
    at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:118)
    at io.fabric8.apiman.rest.BearerTokenFilter.getUserInfoFromK8s(BearerTokenFilter.java:204)
    at io.fabric8.apiman.rest.BearerTokenFilter$1.load(BearerTokenFilter.java:91)
    at io.fabric8.apiman.rest.BearerTokenFilter$1.load(BearerTokenFilter.java:89)
    at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542)
    at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323)
    at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286)
    at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201)
    at com.google.common.cache.LocalCache.get(LocalCache.java:3953)
    at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3957)
    at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4875)
    at io.fabric8.apiman.rest.BearerTokenFilter.doFilter(BearerTokenFilter.java:111)

fabric8 is the ServiceAccount defined within the pom.xml file of Apiman

 <fabric8.serviceAccount>fabric8</fabric8.serviceAccount>

Namespace used : default

[vagrant@vagrant ~]$ oc describe clusterPolicyBindings :default
Name:                       :default
Created:                    32 hours ago
Labels:                     <none>
Annotations:                    <none>
Last Modified:                  2016-04-26 16:24:45 +0000 UTC
Policy:                     <none>
RoleBinding[basic-users]:
                        Role:           basic-user
                        Users:          <none>
                        Groups:         system:authenticated
                        ServiceAccounts:    <none>
                        Subjects:       <none>
RoleBinding[cluster-admins]:
                        Role:           cluster-admin
                        Users:          admin
                        Groups:         system:cluster-admins
                        ServiceAccounts:    default/fabric8, default/jenkins
                        Subjects:       <none>
RoleBinding[cluster-readers]:
                        Role:           cluster-reader
                        Users:          <none>
                        Groups:         system:cluster-readers, system:serviceaccounts
                        ServiceAccounts:    default/metrics, default/fluentd
                        Subjects:       <none>
RoleBinding[cluster-status-binding]:
                        Role:           cluster-status
                        Users:          <none>
                        Groups:         system:authenticated, system:unauthenticated
                        ServiceAccounts:    <none>
                        Subjects:       <none>
RoleBinding[self-provisioners]:
                        Role:           self-provisioner
                        Users:          <none>
                        Groups:         system:authenticated:oauth
                        ServiceAccounts:    <none>
                        Subjects:       <none>
RoleBinding[system:build-controller]:
                        Role:           system:build-controller
                        Users:          <none>
                        Groups:         <none>
                        ServiceAccounts:    openshift-infra/build-controller
                        Subjects:       <none>
RoleBinding[system:daemonset-controller]:
                        Role:           system:daemonset-controller
                        Users:          <none>
                        Groups:         <none>
                        ServiceAccounts:    openshift-infra/daemonset-controller
                        Subjects:       <none>
RoleBinding[system:deployment-controller]:
                        Role:           system:deployment-controller
                        Users:          <none>
                        Groups:         <none>
                        ServiceAccounts:    openshift-infra/deployment-controller
                        Subjects:       <none>
RoleBinding[system:discovery-binding]:
                        Role:           system:discovery
                        Users:          <none>
                        Groups:         system:authenticated, system:unauthenticated
                        ServiceAccounts:    <none>
                        Subjects:       <none>
RoleBinding[system:gc-controller]:
                        Role:           system:gc-controller
                        Users:          <none>
                        Groups:         <none>
                        ServiceAccounts:    openshift-infra/gc-controller
                        Subjects:       <none>
RoleBinding[system:hpa-controller]:
                        Role:           system:hpa-controller
                        Users:          <none>
                        Groups:         <none>
                        ServiceAccounts:    openshift-infra/hpa-controller
                        Subjects:       <none>
RoleBinding[system:job-controller]:
                        Role:           system:job-controller
                        Users:          <none>
                        Groups:         <none>
                        ServiceAccounts:    openshift-infra/job-controller
                        Subjects:       <none>
RoleBinding[system:masters]:
                        Role:           system:master
                        Users:          <none>
                        Groups:         system:masters
                        ServiceAccounts:    <none>
                        Subjects:       <none>
RoleBinding[system:namespace-controller]:
                        Role:           system:namespace-controller
                        Users:          <none>
                        Groups:         <none>
                        ServiceAccounts:    openshift-infra/namespace-controller
                        Subjects:       <none>
RoleBinding[system:node-admins]:
                        Role:           system:node-admin
                        Users:          system:master
                        Groups:         system:node-admins
                        ServiceAccounts:    <none>
                        Subjects:       <none>
RoleBinding[system:node-proxiers]:
                        Role:           system:node-proxier
                        Users:          <none>
                        Groups:         system:nodes
                        ServiceAccounts:    <none>
                        Subjects:       <none>
RoleBinding[system:nodes]:
                        Role:           system:node
                        Users:          <none>
                        Groups:         system:nodes
                        ServiceAccounts:    <none>
                        Subjects:       <none>
RoleBinding[system:oauth-token-deleters]:
                        Role:           system:oauth-token-deleter
                        Users:          <none>
                        Groups:         system:authenticated, system:unauthenticated
                        ServiceAccounts:    <none>
                        Subjects:       <none>
RoleBinding[system:pv-binder-controller]:
                        Role:           system:pv-binder-controller
                        Users:          <none>
                        Groups:         <none>
                        ServiceAccounts:    openshift-infra/pv-binder-controller
                        Subjects:       <none>
RoleBinding[system:pv-provisioner-controller]:
                        Role:           system:pv-provisioner-controller
                        Users:          <none>
                        Groups:         <none>
                        ServiceAccounts:    openshift-infra/pv-provisioner-controller
                        Subjects:       <none>
RoleBinding[system:pv-recycler-controller]:
                        Role:           system:pv-recycler-controller
                        Users:          <none>
                        Groups:         <none>
                        ServiceAccounts:    openshift-infra/pv-recycler-controller
                        Subjects:       <none>
RoleBinding[system:registrys]:
                        Role:           system:registry
                        Users:          <none>
                        Groups:         system:registries
                        ServiceAccounts:    <none>
                        Subjects:       <none>
RoleBinding[system:replication-controller]:
                        Role:           system:replication-controller
                        Users:          <none>
                        Groups:         <none>
                        ServiceAccounts:    openshift-infra/replication-controller
                        Subjects:       <none>
RoleBinding[system:routers]:
                        Role:           system:router
                        Users:          <none>
                        Groups:         system:routers
                        ServiceAccounts:    <none>
                        Subjects:       <none>
RoleBinding[system:sdn-readers]:
                        Role:           system:sdn-reader
                        Users:          <none>
                        Groups:         system:nodes
                        ServiceAccounts:    <none>
                        Subjects:       <none>
RoleBinding[system:webhooks]:
                        Role:           system:webhook
                        Users:          <none>
                        Groups:         system:authenticated, system:unauthenticated
                        ServiceAccounts:    <none>
                        Subjects:       <none>

cmoulliard commented 8 years ago

This piece of code (part of the Bearer Token Filter) is working locally

Output

https://gist.github.com/cmoulliard/f277724b4371862d018dff84035c0cba

Code

https://gist.github.com/cmoulliard/8187710903ba975c9477c9438e06a5cc

I will check with @KurtStam, Marc Savy

pires commented 8 years ago

I seem to be having the same issue here with the Elasticsearch discovery plug-in. /cc jimmidyson

jimmidyson commented 8 years ago

Are you sure the service account token mounted in the pod is valid?

ashmere commented 8 years ago

@jimmidyson @pires yes I'm also seeing this with the elasticsearch discovery plugin, I've docker exec into the pod and confirmed the service account is mounted

docker exec -it 585006a26a61 /bin/bash
bash-4.3# ls -la /var/run/secrets/kubernetes.io/serviceaccount/
total 8
drwxrwxrwt    3 root     root           140 Oct 17 13:39 .
drwxr-xr-x    3 root     root          4096 Oct 17 13:39 ..
drwxr-xr-x    2 root     root           100 Oct 17 13:39 ..109810_17_10_13_39_50.409513327
lrwxrwxrwx    1 root     root            33 Oct 17 13:39 ..data -> ..109810_17_10_13_39_50.409513327
lrwxrwxrwx    1 root     root            13 Oct 17 13:39 ca.crt -> ..data/ca.crt
lrwxrwxrwx    1 root     root            16 Oct 17 13:39 namespace -> ..data/namespace
lrwxrwxrwx    1 root     root            12 Oct 17 13:39 token -> ..data/token

I'm seeing this with kubernetes 1.4.0

jimmidyson commented 8 years ago

Mounted doesn't necessarily mean valid... especially if you're using RBAC.

In the pod, can you try running curl -vvv -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc/api/v1/namespaces/default/endpoints/<SERVICE_NAME>? You should some output which may include the error hopefully.

madchap commented 7 years ago

Hi there,

Starting off really with k8s, launching some elasticsearch deployment.. but I am getting the same error (yet, not all the time?). I am running on a multinode setup of coreos-kubernetes with fabric8 elasticsearch discovery plugin at https://github.com/fabric8io/elasticsearch-cloud-kubernetes.

Running the command as specified in the last post from the pod itself seems satisfatory:

< $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc/api/v1/namespaces/es/endpoints/es -k
* Hostname was NOT found in DNS cache
*   Trying 10.3.0.1...
* Connected to kubernetes.default.svc (10.3.0.1) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*        subject: CN=kube-apiserver-172.17.4.101
*        start date: 2017-03-11 09:39:04 GMT
*        expire date: 2018-03-11 09:39:04 GMT
*        issuer: CN=kube-ca
*        SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /api/v1/namespaces/es/endpoints/es HTTP/1.1
> User-Agent: curl/7.38.0
> Host: kubernetes.default.svc
> Accept: */*
> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJlcyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJlbGFzdGljc2VhcmNoLXRva2VuLWRiOGhxIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImVsYXN0aWNzZWFyY2giLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJkZjlmNTFmNi0wNzY5LTExZTctOThlNy0wODAwMjdkYmZhNGEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZXM6ZWxhc3RpY3NlYXJjaCJ9.BdjVC7CFELAdF93WMbHmLaaZmNr-C0CtNyPuwHbs6GKKIzVOs--v_9c6M2lqMSsYa1WtzuQ3T5piRZM0Oo0ZPsL7Ljb2N6_XJbl6TkqD2Lgj6HHCEX1hnsl_Xc964EURIDWUrBj1WvTZkIDniYQdl3cFQjbfhjG7AwvSSnFuNd8Nl53MdX5Iu8nnpOJodf40ktWlF804ZxSz9HspQqQIOv5aCb9bVrszvt5bypou2zVM3LfAOA1lyA9YIk6U8rq4tp6k9w2ErbjMk0OE8LTlKO1Iik_M-MDlJOHOYxHrq8g9UQQ0JG2Y9tvFUDGWcjBi47eJIoJLMjM4V6hzUnH7NQ
>
< HTTP/1.1 200 OK
< Content-Type: application/json
< Date: Sun, 12 Mar 2017 21:25:16 GMT
< Content-Length: 402
<
{
  "kind": "Endpoints",
  "apiVersion": "v1",
  "metadata": {
    "name": "es",
    "namespace": "es",
    "selfLink": "/api/v1/namespaces/es/endpoints/es",
    "uid": "dfac7573-0769-11e7-98e7-080027dbfa4a",
    "resourceVersion": "223570",
    "creationTimestamp": "2017-03-12T21:21:36Z",
    "labels": {
      "app": "es",
      "env": "sandbox",
      "tier": "backend"
    }
  },
  "subsets": []
* Connection #0 to host kubernetes.default.svc left intact

Versions:

Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.3", GitCommit:"029c3a408176b55c30846f0faedf56aae5992e9b", GitTreeState:"clean", BuildDate:"2017-02-15T06:40:50Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.3+coreos.0", GitCommit:"8fc95b64d0fe1608d0f6c788eaad2c004f31e7b7", GitTreeState:"clean", BuildDate:"2017-02-15T19:52:15Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}

madchap commented 7 years ago

OK, I really have to have random outcomes here... was working peachy last night, re-fired up my vagrant coreos-kubernetes, and here it is back again :-'(

Running the curl this time shows me unauthorized, this time around. Oddly enough, out of my 8 ES nodes, a few do have access, whereas they share the same yaml...

madchap commented 7 years ago

Worse than that. If I call the curl command over and over again, on the same running container, I am authorized one time, and the next not, etc...

lannyMa commented 7 years ago

+1

fabric8io / fabric8

GET at: https://kubernetes.default.svc/oapi/v1/users/~. Message: Unauthorized! Configured service account doesn't have access #5978