Error from server (Forbidden):User "system: anonymous" cannot list nodes at the cluster scope even after granting permission

Question

Even after granting cluster roles to user, I get Error from server (Forbidden): User "system:anonymous" cannot list nodes at the cluster scope. (get nodes)

I have the following set for the user:

- context:
    cluster: kubernetes
    user: user@gmail.com
  name: user@kubernetes`  set in the ~/.kube/config file

And the below added to admin.yaml to create cluster-role and cluster-rolebindings:

kind: CluserRouster: kubernetes    user: nsp@gmail.com  name: nsp@kubernetese
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admin-role
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
---
oidckind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admin-binding
subjects:
  - kind: User
    name: nsp@gmail.com
roleRef:
  kind: ClusterRole
  name: admin-role

When I try the command I still get error.

kubectl --username=user@gmail.com get nodes
Error from server (Forbidden): User "system:anonymous" cannot list nodes at the cluster scope. (get nodes)

Can someone please suggest on how to proceed.

Answer 1

this kubernetes is nothing but frustration:

Error from server (Forbidden): nodes is forbidden: User "kubernetes-admin" cannot list resource "nodes" in API group "" at the cluster scope

root@kubernetes:~# kubectl cluster-info
Kubernetes control plane is running at https://192.168.1.72:6443
CoreDNS is running at https://192.168.1.72:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

 root@kubernetes:~# kubectl get no -o wide
 NAME         STATUS     ROLES           AGE   VERSION   INTERNAL-IP         EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION       CONTAINER-RUNTIME
 kubernetes   NotReady   control-plane   48m   v1.30.2   192.168.1.72        <none>        Ubuntu 22.04.4 LTS   5.15.0-112-generic   containerd://1.7.18

Answer 2

In my case i was receiving nearly similar error due to RBAC

Error

root@k8master:~# kubectl cluster-info dump --insecure-skip-tls-verify=true
Error from server (Forbidden): nodes is forbidden: User "system:anonymous" cannot list resource "nodes" in API group "" at the cluster scope

Solution: As Solution i have done below things to reconfigure my user to access cluster

cd $HOME
sudo whoami
sudo cp /etc/kubernetes/admin.conf $HOME/
sudo chown $(id -u):$(id -g) $HOME/admin.conf
export KUBECONFIG=$HOME/admin.conf
echo "export KUBECONFIG=$HOME/admin.conf" | tee -a ~/.bashrc

After doing above when i take cluster dump i got result

root@k8master:~# kubectl cluster-info
Kubernetes master is running at https://192.168.10.15:6443
KubeDNS is running at https://192.168.10.15:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

Answer 3

Your problem is not with your ClusterRoleBindings but rather with user authentication. Kubernetes tells you that it identified you as system:anonymous (which is similar to *NIX's nobody) and not nsp@example.com (to which you applied your binding).

In your specific case the reason for that is that the username flag uses HTTP Basic authentication and needs the password flag to actually do anything. But even if you did supply the password, you'd still need to actually tell the API server to accept that specific user.

Have a look at this part of the Kubernetes documentation which deals with different methods of authentication. For the username and password authentication to work, you'd want to look at the Static Password File section, but I would actually recommend you go with X509 Client Certs since they are more secure and are operationally much simpler (no secrets on the Server, no state to replicate between API servers).