I'm assuming that request was made as the cluster admin using the certificate credentials. The 403 is not coming from the API server's authorization (or it would indicate which user was rejected), it is coming from something the API server is doing internally.
Looks like here: https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/admission/persistentvolume/label/admission.go#L86 On Fri, Mar 24, 2017 at 2:42 PM, Vyacheslav Semushin <[email protected]> wrote: > Hello, > > you have to provide a token. Without it, you're requesting as an anonymous > user: > "If no access token or certificate is presented, the authentication layer > assigns the system:anonymous virtual user and the system:unauthenticated > virtual group to the request. " > > > These links could be helpful: > > https://docs.openshift.com/enterprise/3.2/architecture/ > additional_concepts/authentication.html#api-authentication > https://docs.openshift.com/container-platform/latest/ > rest_api/index.html#rest-api-examples > > > > 2017-03-24 19:19 GMT+01:00 David VOGEL <[email protected]>: > >> I’m unable to create a persistent volume because the API fails (403) >> trying to list the AWS EBS volumes attached to my EC2 host. >> >> >> >> I’ve installed Openshift Origin 1.5.0 on an EC2 host that has an attached >> EBS volume. I’m running an all-in-one instance. >> >> >> >> In the oc cli logged in in as system:admin >> >> >> >> I can query the top-level of the restful apis with curl, so >> CURL_CA_BUNDLE is set correctly: >> >> >> >> curl -k -v -XGET -H “Accept: application/json, */*" -H >> “User-Agent: oc/v1.5.0 openshift/cf6a722” https://<ip>:8443/oapi/v1 >> >> and https://<ip>:8443/api/v1 >> >> >> >> But I fail when trying to list resources e.g.: >> http://<ip>:8443/api/v1/persistentvolumes or policybindings >> >> >> >> When I try to create a persistent volume with ‘oc create -f aws-pv.yaml’ >> the failure occurs in Kubernetes code trying to retrieve EBS volumes using >> an AWS SDK call to a function named like describe-volumes. >> >> >> >> I successfully list AWS EBS volumes on my EC2 host using the AWS cli: >> aws ec2 describe-volumes >> >> AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are >> set. >> >> >> >> Here’s the relevant section of the log generate by my ‘oc create’ call: >> >> >> >> I0324 08:23:17.827082 17537 round_trippers.go:299] curl -k -v -XPOST >> -H "Accept: application/json" -H "Content-Type: application/json" -H >> "User-Agent: oc/v1.4.0+776c994 (linux/amd64) kubernetes/a9e9cf3" >> https://10.3.1.55:8443/api/v1/persistentvolumes >> >> I0324 08:23:17.865710 17537 round_trippers.go:318] POST >> https://10.3.1.55:8443/api/v1/persistentvolumes 403 Forbidden in 38 >> milliseconds >> >> I0324 08:23:17.865728 17537 round_trippers.go:324] Response Headers: >> >> I0324 08:23:17.865738 17537 round_trippers.go:327] Date: Fri, 24 >> Mar 2017 15:23:17 GMT >> >> I0324 08:23:17.865745 17537 round_trippers.go:327] Content-Length: >> 435 >> >> I0324 08:23:17.865750 17537 round_trippers.go:327] Cache-Control: >> no-store >> >> I0324 08:23:17.865754 17537 round_trippers.go:327] Content-Type: >> application/json >> >> I0324 08:23:17.865805 17537 request.go:908] Response Body: >> {"kind":"Status","apiVersion":"v1","metadata":{},"status":"F >> ailure","message":"persistentvolumes \"pv0001\" is forbidden: error >> querying AWS EBS volume vol-05dffe55de3ac725db: error querying ec2 for >> volume info: *error listing AWS volumes: UnauthorizedOperation: You are >> not authorized to perform this operation.*\n\tstatus code: 403, request >> id:","reason":"Forbidden","details":{"name":"pv0001","kind": >> "persistentvolumes"},"code":403} >> >> I0324 08:23:17.866030 17537 helpers.go:199] server response object: [{ >> >> "kind": "Status", >> >> "apiVersion": "v1", >> >> "metadata": {}, >> >> "status": "Failure", >> >> "message": "error when creating \"aws-persistent-volume.yaml\": >> persistentvolumes \"pv0001\" is forbidden: error querying AWS EBS volume >> vol-05dffe55de3ac725db: error querying ec2 for volume info: error listing >> AWS volumes: UnauthorizedOperation: You are not authorize\d to perform >> this operation.\n\tstatus code: 403, request id: ", >> >> "reason": "Forbidden", >> >> "details": { >> >> "name": "pv0001", >> >> "kind": "persistentvolumes" >> >> }, >> >> "code": 403 >> >> }] >> >> >> >> Thanks in advance, >> >> David Vogel >> >> >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> > > > -- > Slava Semushin | OpenShift > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
