CODEWITHSUNDEEP
kuberneteskubectl
Valip
Valip

Reputation: 4620

kubectl get secrets: Error from server (Forbidden)

I have installed the Upbound CLI locally and since then I (I think) am receiving Error from server (Forbidden) error message when I try to execute different commands using kubectl:

kubectl get secrets

Error from server (Forbidden): secrets is forbidden: User "upbound-cloud-impersonator" cannot list resource "secrets" in API group "" in the namespace "default"

kubectl get all

Error from server (Forbidden): replicationcontrollers is forbidden: User "upbound-cloud-impersonator" cannot list resource "replicationcontrollers" in API group "" in the namespace "default"
Error from server (Forbidden): services is forbidden: User "upbound-cloud-impersonator" cannot list resource "services" in API group "" in the namespace "default"
Error from server (Forbidden): daemonsets.apps is forbidden: User "upbound-cloud-impersonator" cannot list resource "daemonsets" in API group "apps" in the namespace "default"
Error from server (Forbidden): deployments.apps is forbidden: User "upbound-cloud-impersonator" cannot list resource "deployments" in API group "apps" in the namespace "default"
Error from server (Forbidden): replicasets.apps is forbidden: User "upbound-cloud-impersonator" cannot list resource "replicasets" in API group "apps" in the namespace "default"
Error from server (Forbidden): statefulsets.apps is forbidden: User "upbound-cloud-impersonator" cannot list resource "statefulsets" in API group "apps" in the namespace "default"
Error from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User "upbound-cloud-impersonator" cannot list resource "horizontalpodautoscalers" in API group "autoscaling" in the namespace "default"
Error from server (Forbidden): cronjobs.batch is forbidden: User "upbound-cloud-impersonator" cannot list resource "cronjobs" in API group "batch" in the namespace "default"
Error from server (Forbidden): jobs.batch is forbidden: User "upbound-cloud-impersonator" cannot list resource "jobs" in API group "batch" in the namespace "default"

It seems that the user has been changed to "upbound-cloud-impersonator", but I am not sure why and how to switch it back to what it was before.

If it helps, these are the namespaces:

crossplane-system   Active   2d21h
default             Active   2d21h
kube-node-lease     Active   2d21h
kube-public         Active   2d21h
kube-system         Active   2d21h
upbound-system      Active   2d21h
velero              Active   2d21h

And the list of users kubectl config view -o jsonpath='{.users[*].name}':
minikube upbound-3f93ea79-ba0e-4fdc-ae69-f2c562279579

Upvotes: 1

Views: 11539

Answers (1)

P....
P....

Reputation: 18371

  • The user upbound-cloud-impersonator is not having enough RBAC permissions to get the secrets. The alternative solution is to set setup enough RBAC permission.

You can validate this using the below command:

kubectl auth can-i get secret --as upbound-cloud-impersonator

Or just run(as your context is already changed):

kubectl auth can-i get secret

  • Your current context is switched to something else. The new context is using upbound-cloud-impersonator. you may run the following command to list your current context

    kubectl config current-context

To switch to another context, you may first run the following command to list your context list. Notice the * sign that signifies the current context. Note that the context name used here are examples and may differ for your cluster.

kubectl config get-contexts
CURRENT   NAME                                 CLUSTER   AUTHINFO                     NAMESPACE
          default                              default   default
*         upbound-cloud-impersonator@default   default   upbound-cloud-impersonator

To switch to the other context, will change the current context to the provided one. Use appropriate context to switch.

 kubectl config use-context default

Notice the * sign:

kubectl config get-contexts
CURRENT   NAME                                 CLUSTER   AUTHINFO                     NAMESPACE
*         default                              default   default
          upbound-cloud-impersonator@default   default   upbound-cloud-impersonator

Validate the authorization:

kubectl auth can-i get secret
yes

Upvotes: 5

Related Questions