Thank You, MR for the reply.

The goal here is to enable kubernetes dashboard.

It looks like I am using 'system:node:' role and it is trying to touch
'kube-system' namespace which it does not have enough privilege to.
What are the recommendations here?

Do you recommend any good read that deals with editing/playing with RBAC?
Also, somewhere I found that messing with 'system:node:' is not
recommended.

Regards,
Alwin


On Tue, Mar 6, 2018 at 12:43 AM, 'Matthias Rampke' via Kubernetes user
discussion and Q&A <kubernetes-users@googlegroups.com> wrote:

> It looks like you're having permissions issues. Check your RBAC roles and
> bindings. Which credentials is kubectl using? What permissions do these
> have?
>
> (I'm afraid that's as far as I can help you, my knowledge here is hazy).
>
> /MR
>
> On Tue, Mar 6, 2018, 07:09 <jamea...@gmail.com> wrote:
>
>>
>> Hello, I am a newbie to Kubernetes world.
>> Am facing some issues with my cluster setup.
>> Getting below error while running:
>>
>> [root@vmdoccXXXX alwin]# kubectl apply -f https://docs.projectcalico.
>> org/v3.0/getting-started/kubernetes/installation/
>> hosted/kubeadm/1.7/calico.yaml
>> Error from server (Forbidden): error when retrieving current
>> configuration of:
>> &{0xc420316300 0xc4201469a0 kube-system calico-config
>> https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc4212c6748
>> false}
>> from server for: "https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": configmaps
>> "calico-config" is forbidden: User "system:node:vmdoccXXXX.example.com"
>> cannot get configmaps in the namespace "kube-system": no path found to
>> object
>> Error from server (Forbidden): error when retrieving current
>> configuration of:
>> &{0xc420316480 0xc4203bf180 kube-system calico-etcd
>> https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc422974078
>> false}
>> from server for: "https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml":
>> daemonsets.extensions "calico-etcd" is forbidden: User "system:node:
>> vmdoccXXXX.example.com" cannot get daemonsets.extensions in the
>> namespace "kube-system"
>> Error from server (Forbidden): error when creating "
>> https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": services is
>> forbidden: User "system:node:vmdoccXXXX.example.com" cannot create
>> services in the namespace "kube-system"
>> Error from server (Forbidden): error when retrieving current
>> configuration of:
>> &{0xc4200f6a80 0xc420208700 kube-system calico-node
>> https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a098
>> false}
>> from server for: "https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml":
>> daemonsets.extensions "calico-node" is forbidden: User "system:node:
>> vmdoccXXXX.example.com" cannot get daemonsets.extensions in the
>> namespace "kube-system"
>> Error from server (Forbidden): error when retrieving current
>> configuration of:
>> &{0xc4200f6e40 0xc4203e42a0 kube-system calico-kube-controllers
>> https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a148
>> false}
>> from server for: "https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml":
>> deployments.extensions "calico-kube-controllers" is forbidden: User
>> "system:node:vmdoccXXXX.example.com" cannot get deployments.extensions
>> in the namespace "kube-system"
>> Error from server (Forbidden): error when retrieving current
>> configuration of:
>> &{0xc4200f7080 0xc420306d90  calico-cni-plugin
>> https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a1e0
>> false}
>> from server for: "https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml":
>> clusterrolebindings.rbac.authorization.k8s.io "calico-cni-plugin" is
>> forbidden: User "system:node:vmdoccXXXX.example.com" cannot get
>> clusterrolebindings.rbac.authorization.k8s.io at the cluster scope
>> Error from server (Forbidden): error when retrieving current
>> configuration of:
>> &{0xc4200f7140 0xc4205ba230  calico-cni-plugin
>> https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a298
>> false}
>> from server for: "https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml":
>> clusterroles.rbac.authorization.k8s.io "calico-cni-plugin" is forbidden:
>> User "system:node:vmdoccXXXX.example.com" cannot get clusterroles.rbac.
>> authorization.k8s.io at the cluster scope
>> Error from server (Forbidden): error when retrieving current
>> configuration of:
>> &{0xc4200f7200 0xc4205baee0 kube-system calico-cni-plugin
>> https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a320
>> false}
>> from server for: "https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": serviceaccounts
>> "calico-cni-plugin" is forbidden: User "system:node:vmdoccXXXX.
>> example.com" cannot get serviceaccounts in the namespace "kube-system"
>> Error from server (Forbidden): error when retrieving current
>> configuration of:
>> &{0xc4200f72c0 0xc4206203f0  calico-kube-controllers
>> https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a3a8
>> false}
>> from server for: "https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml":
>> clusterrolebindings.rbac.authorization.k8s.io "calico-kube-controllers"
>> is forbidden: User "system:node:vmdoccXXXX.example.com" cannot get
>> clusterrolebindings.rbac.authorization.k8s.io at the cluster scope
>> Error from server (Forbidden): error when retrieving current
>> configuration of:
>> &{0xc4200f7380 0xc420621b90  calico-kube-controllers
>> https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a450
>> false}
>> from server for: "https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml":
>> clusterroles.rbac.authorization.k8s.io "calico-kube-controllers" is
>> forbidden: User "system:node:vmdoccXXXX.example.com" cannot get
>> clusterroles.rbac.authorization.k8s.io at the cluster scope
>> Error from server (Forbidden): error when retrieving current
>> configuration of:
>> &{0xc4200f7440 0xc420c42770 kube-system calico-kube-controllers
>> https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml 0xc420d3a4c0
>> false}
>> from server for: "https://docs.projectcalico.org/v3.0/getting-started/
>> kubernetes/installation/hosted/kubeadm/1.7/calico.yaml": serviceaccounts
>> "calico-kube-controllers" is forbidden: User "system:node:vmdoccXXXX.
>> example.com" cannot get serviceaccounts in the namespace "kube-system"
>>
>>
>> Seems like I am missing something.
>> Any help is much appreciated. :-)
>>
>> Regards,
>> Alwin
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Kubernetes user discussion and Q&A" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to kubernetes-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to kubernetes-users@googlegroups.com.
>> Visit this group at https://groups.google.com/group/kubernetes-users.
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Kubernetes user discussion and Q&A" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/kubernetes-users/UzOfzyW1WsA/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> kubernetes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to kubernetes-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/kubernetes-users.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

Reply via email to