Thank You, MR for the reply. The goal here is to enable kubernetes dashboard.
It looks like I am using 'system:node:' role and it is trying to touch 'kube-system' namespace which it does not have enough privilege to. What are the recommendations here? Do you recommend any good read that deals with editing/playing with RBAC? Also, somewhere I found that messing with 'system:node:' is not recommended. Regards, Alwin On Tue, Mar 6, 2018 at 12:43 AM, 'Matthias Rampke' via Kubernetes user discussion and Q&A <kubernetes-users@googlegroups.com> wrote: > It looks like you're having permissions issues. Check your RBAC roles and > bindings. Which credentials is kubectl using? What permissions do these > have? > > (I'm afraid that's as far as I can help you, my knowledge here is hazy). > > /MR > > On Tue, Mar 6, 2018, 07:09 <jamea...@gmail.com> wrote: > >> >> Hello, I am a newbie to Kubernetes world. >> Am facing some issues with my cluster setup. >> Getting below error while running: >> >> [root@vmdoccXXXX alwin]# kubectl apply -f https://docs.projectcalico. >> org/v3.0/getting-started/kubernetes/installation/ >> hosted/kubeadm/1.7/calico.yaml >> Error from server (Forbidden): error when retrieving current >> configuration of: >> &{0xc420316300 0xc4201469a0 kube-system calico-config >> https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc4212c6748 >> false} >> from server for: "https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": configmaps >> "calico-config" is forbidden: User "system:node:vmdoccXXXX.example.com" >> cannot get configmaps in the namespace "kube-system": no path found to >> object >> Error from server (Forbidden): error when retrieving current >> configuration of: >> &{0xc420316480 0xc4203bf180 kube-system calico-etcd >> https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc422974078 >> false} >> from server for: "https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": >> daemonsets.extensions "calico-etcd" is forbidden: User "system:node: >> vmdoccXXXX.example.com" cannot get daemonsets.extensions in the >> namespace "kube-system" >> Error from server (Forbidden): error when creating " >> https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": services is >> forbidden: User "system:node:vmdoccXXXX.example.com" cannot create >> services in the namespace "kube-system" >> Error from server (Forbidden): error when retrieving current >> configuration of: >> &{0xc4200f6a80 0xc420208700 kube-system calico-node >> https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a098 >> false} >> from server for: "https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": >> daemonsets.extensions "calico-node" is forbidden: User "system:node: >> vmdoccXXXX.example.com" cannot get daemonsets.extensions in the >> namespace "kube-system" >> Error from server (Forbidden): error when retrieving current >> configuration of: >> &{0xc4200f6e40 0xc4203e42a0 kube-system calico-kube-controllers >> https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a148 >> false} >> from server for: "https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": >> deployments.extensions "calico-kube-controllers" is forbidden: User >> "system:node:vmdoccXXXX.example.com" cannot get deployments.extensions >> in the namespace "kube-system" >> Error from server (Forbidden): error when retrieving current >> configuration of: >> &{0xc4200f7080 0xc420306d90 calico-cni-plugin >> https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a1e0 >> false} >> from server for: "https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": >> clusterrolebindings.rbac.authorization.k8s.io "calico-cni-plugin" is >> forbidden: User "system:node:vmdoccXXXX.example.com" cannot get >> clusterrolebindings.rbac.authorization.k8s.io at the cluster scope >> Error from server (Forbidden): error when retrieving current >> configuration of: >> &{0xc4200f7140 0xc4205ba230 calico-cni-plugin >> https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a298 >> false} >> from server for: "https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": >> clusterroles.rbac.authorization.k8s.io "calico-cni-plugin" is forbidden: >> User "system:node:vmdoccXXXX.example.com" cannot get clusterroles.rbac. >> authorization.k8s.io at the cluster scope >> Error from server (Forbidden): error when retrieving current >> configuration of: >> &{0xc4200f7200 0xc4205baee0 kube-system calico-cni-plugin >> https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a320 >> false} >> from server for: "https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": serviceaccounts >> "calico-cni-plugin" is forbidden: User "system:node:vmdoccXXXX. >> example.com" cannot get serviceaccounts in the namespace "kube-system" >> Error from server (Forbidden): error when retrieving current >> configuration of: >> &{0xc4200f72c0 0xc4206203f0 calico-kube-controllers >> https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a3a8 >> false} >> from server for: "https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": >> clusterrolebindings.rbac.authorization.k8s.io "calico-kube-controllers" >> is forbidden: User "system:node:vmdoccXXXX.example.com" cannot get >> clusterrolebindings.rbac.authorization.k8s.io at the cluster scope >> Error from server (Forbidden): error when retrieving current >> configuration of: >> &{0xc4200f7380 0xc420621b90 calico-kube-controllers >> https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a450 >> false} >> from server for: "https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": >> clusterroles.rbac.authorization.k8s.io "calico-kube-controllers" is >> forbidden: User "system:node:vmdoccXXXX.example.com" cannot get >> clusterroles.rbac.authorization.k8s.io at the cluster scope >> Error from server (Forbidden): error when retrieving current >> configuration of: >> &{0xc4200f7440 0xc420c42770 kube-system calico-kube-controllers >> https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a4c0 >> false} >> from server for: "https://docs.projectcalico.org/v3.0/getting-started/ >> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": serviceaccounts >> "calico-kube-controllers" is forbidden: User "system:node:vmdoccXXXX. >> example.com" cannot get serviceaccounts in the namespace "kube-system" >> >> >> Seems like I am missing something. >> Any help is much appreciated. :-) >> >> Regards, >> Alwin >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Kubernetes user discussion and Q&A" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to kubernetes-users+unsubscr...@googlegroups.com. >> To post to this group, send email to kubernetes-users@googlegroups.com. >> Visit this group at https://groups.google.com/group/kubernetes-users. >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Kubernetes user discussion and Q&A" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/kubernetes-users/UzOfzyW1WsA/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > kubernetes-users+unsubscr...@googlegroups.com. > To post to this group, send email to kubernetes-users@googlegroups.com. > Visit this group at https://groups.google.com/group/kubernetes-users. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
