search

mmumshad / kubernetes-the-hard-way

Bootstrap Kubernetes the hard way on Vagrant on Local Machine. No scripts.
Apache License 2.0
4.7k stars 4.54k forks source link

error: unable to upgrade connection: Forbidden #223

Closed Proton23 closed 2 years ago

Proton23 commented 3 years ago

Hello, I followed every step (twice) but if I execute "kubectl exec -ti busybox -- nslookup kubernetes" from chapter 14-dns-addon I get this: error: unable to upgrade connection: Forbidden (user=kube-apiserver, verb=create, resource=nodes, subresource=proxy)

What could be the problem?

ChauAnhTuan commented 3 years ago

I had the same error.

ChauAnhTuan commented 3 years ago

Let's follow this guild to fix it. https://github.com/mmumshad/kubernetes-the-hard-way/blob/117d415d9ae20f205b8f8b28325af539687e5acc/docs/14-kube-apiserver-to-kubelet.md

Proton23 commented 3 years ago

Okay, I will give it a try.

dcardozoo commented 3 years ago

Let's follow this guild to fix it. https://github.com/mmumshad/kubernetes-the-hard-way/blob/117d415d9ae20f205b8f8b28325af539687e5acc/docs/14-kube-apiserver-to-kubelet.md

The documentation there is not correct. If you follow this steps you still get: error: unable to upgrade connection: Forbidden (user=kube-apiserver, verb=create, resource=nodes, subresource=proxy)

The reason for that is that on the Certificate generation section for the kube-apiserver while generating the csr openssl req -new -key kube-apiserver.key -subj "/CN=kube-apiserver" -out kube-apiserver.csr -config openssl.cnf the CN is set to kube-apiserver and that should be set to system:kube-apiserver

To fix this you just need to change the subject user to kube-apiserver:

cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: system:kube-apiserver
  namespace: ""
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:kube-apiserver-to-kubelet
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: kube-apiserver
EOF

That will do the trick!

Also, there is no need to setup a new clusterRole, there is already the system:kubelet-api-admin which gives the same rights 😄 .

fireflycons commented 2 years ago

Hi @Proton23 @ChauAnhTuan @dcardozoo

We have now merged a major change to bring this to v1.24. This has been addressed as part of the upgrade. Please try it now and feel free to raise further issues.

Thanks.