user_mda
Reputation: 19388
Unauthorized error while trying to create a new namespace in K8S
I am trying to create a namespace on a K8s cluster on Azure using teh fabric8 java client . Here is the code
@Before
public void setUpK8sClient() {
apiServer = "";
config = new ConfigBuilder().withMasterUrl(apiServer).withUsername("user").withPassword("pass").build();
client = new DefaultKubernetesClient(config);
System.setProperty(Config.KUBERNETES_TRUST_CERT_SYSTEM_PROPERTY, "true");
}
@Test
public void getClientVersion() {
System.out.println("Client version "+client.getApiVersion());
}
@Test
public void createNamespace() {
Namespace myns = client.namespaces().createNew()
.withNewMetadata()
.withName("myns")
.addToLabels("a", "label")
.endMetadata()
.done();
System.out.println("Namespace version " + myns.getStatus());
}
This gives me the following error
i
o.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: "https://...api/v1/namespaces. Message: Unauthorized! Token may have expired! Please log-in again. Unauthorized
What did I miss?
Upvotes: 0
Views: 3155
Answers (1)
Jose Armesto
Reputation: 13749
Since you are working on Azure, I guess you could follow the instructions to configure kubectl and then use the token from the kubeconfig file to access the cluster from the fabric8 client.
That token is probably an admin token, so you can also create new credentials (user/password) if you want to limit what the fabric8 client could do. API requests are tied to either a normal user or a service account, or are treated as anonymous requests.
- Normal users are assumed to be managed by an outside, independent service (private keys, third parties like Google Accounts, even a file with a list of usernames and passwords). Kubernetes does not have objects which represent normal user accounts.
- Service accounts are users managed by the Kubernetes API, bound to specific namespaces. Service accounts are tied to a set of credentials stored as Secrets. To manually create a service account, simply use the
kubectl create serviceaccount ACCOUNT_NAMEcommand. This creates a service account in the current namespace and an associated secret that holds the public CA of the API server and a signed JSON Web Token (JWT).
Upvotes: 1
Related Questions
- AKS - Error from server (Forbidden): User cannot create resource "namespaces" in API group "" at the cluster scope
- Trying to create a namespace in an AWS EKS cluster with kubectl - Getting: Error from server (Forbidden): namespaces is forbidden
- Error from server (Forbidden): namespaces is forbidden: User "system:anonymous" cannot create resource "namespaces" in API group
- Kubernetes Namespaces forbidden using api
- Exception when attempting to create Namespaced Pod
- How I create new namespace in Kubernetes
- Unable to create deployment in a namespace with service account, ClusterRole and ClusterRolebinding created
- io.fabric8.kubernetes.client.KubernetesClientException: Forbidden!Configured service account doesn't have access
- 'kubectl get namespace' command "namespaces is forbidden" error
- Kubernetes cannot create namespaces at the cluster scope