Kubectl commands not having right permissions to deploy pods after certification renewal

Question

After certification renewal in K8 Cluster, we are getting permission error while running some kubectl commands. For example; we get this error while running the commands "kubectl get deployments" and "kubectl get pv"

"Error from server (Forbidden): pods "<>" is forbidden: User "system:node:<>" cannot create resource "pods/exec" in API group "" in the namespace "......"

But, we can able to run commands such as "Kubectl get nodes" and "kubectl get pods" without any issues.

During cert renewal process, we ran the below command and manually updated kubelet.conf in /etc/kubernetes and config file in /root/.kube directory.

Is there any other files, we need to update the new certificate related details ? Kindly help us with remediation process/steps at the earliest possible.

• sudo kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > kubelet.conf

Our Prod Kubernetes Cluster Information:

Kubernetes Cluster Version - 1.13.x Master Node - 1 Worker Nodes - 11

Recently, the below mentioned certifications got renewed recently.

• apiserver.crt
• apiserver-kubelet-client.crt
• front-proxy-client.crt
• apiserver-etcd-client.crt

Answer 1

Apparently, you are using the kubelet certificate instead of that for the kubectl (admin cert).

Try running this command and see if it works:

 sudo kubectl get pv --kubeconfig /etc/kubernetes/admin.conf

If it does, do:

 sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
 sudo chown $(id -u):$(id -g) $HOME/.kube/config
 kubectl get pv
 kubectl get deploy