2

I am trying to add Kubernetes as cloud to Jenkins server with the appropriate Kubernetes URL and other details. When i add the details and test the connection i get the following error

Error connecting to https://192.168.X.XX:6443: Failure executing: GET at: https://192.168.X.XX:6443/api/v1/namespaces/default/pods. Message: User "system:anonymous" cannot list pods in the namespace "default".."

I tried to perform curl with --insecure option but the same following error is logged.

Message: User "system:anonymous" cannot list pods in the namespace "default".."

I tried to add jenkins and the user credentials to login to jenkins as clusteradminrole using the following kubectl command

kubectl create rolebinding jenkins-admin-binding --clusterrole=admin --user=jenkins--namespace=default

But still the same error.

Anything is missing?

EDIT 1: Have tried to do the following as suggested

openssl genrsa -out jenkins.key 2048

openssl req -new -key jenkins.key -out jenkins.csr -subj "/CN=jenkins/O=admin_jenkins"

openssl x509 -req -in jenkins.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out jenkins.crt -days 500

kubectl config set-credentials jenkins --client-certificate=/root/pods/admin_jenkins/.certs/jenkins.crt --client-key=/root/pods/admin_jenkins/.certs/jenkins.key

kubectl config set-context jenkins-context --cluster=kubernetes --namespace=default --user=jenkins

kubectl create -f role.yaml (Role file as described)

kubectl create -f role-binding.yaml

even after this

kubectl --context=jenkins-context get deployments 
gives the following error
"Error from server (Forbidden): User "jenkins" cannot list deployments.extensions in the namespace "default". (get deployments.extensions)"

Update 2:

after following above steps 
"kubectl --context=jenkins-context get deployments" was successful.

 i did the whole exercise after doing a kubeadm reset and it worked

But the problem still remains of integrating K8 with Jenkins when i am trying to add it as a cloud using its plugin.

Community
  • 1
  • 1
Prashant
  • 1,144
  • 8
  • 17
  • 28

1 Answers1

2

Did you define the role admin? if not define the admin role. below document your refer it.

https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/

Update: 1. you can create file role.yaml like this and create role. then run kubectl apply -f role.yaml

 kind: Role
  apiVersion: rbac.authorization.k8s.io/v1beta1
  metadata:
    namespace: default
    name: admin
  rules:
  - apiGroups: ["", "extensions", "apps"]
    resources: ["deployments", "replicasets", "pods"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]

you need to pass the client certificate with this role to authenticate.

from your second question your trying to use this account to authenticate jenkin application user. I am not sure this method will work for you.

update on 9/25/17

Username: admin
Group: jenkins


 openssl genrsa -out admin.key 2048
 openssl req -new -key admin.key -out admin.csr -subj "/CN=admin/O=jenkins"

 #Run this as root user in master node
 openssl x509 -req -in admin.csr -CA /etc/kubernetes/pki/ca.crt  -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out admin.crt -days 500

 mkdir .certs/
 mv admin.* .certs/
 kubectl config set-credentials admin --client-certificate=/home/jenkin/.certs/admin.crt  --client-key=/home/jenkin/.certs/admin.key
 kubectl config set-context admin-context --cluster=kubernetes --namespace=jenkins --user=admin

Save this in the file and create role

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: jenkins
  name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: deployment-manager-binding
  namespace: jenkins
subjects:
- kind: User
  name: admin
  apiGroup: ""
roleRef:
  kind: Role
  name: deployment-manager
  apiGroup: ""

Run the get pods command

kubectl --context=admin-context get pods
sfgroups
  • 18,151
  • 28
  • 132
  • 204
  • No, havent defined a specific admin role. But i tried to add the user as can be seen above using kubectl command. Should a separate pod file with RBAC policies be written for this purpose? – Prashant Sep 19 '17 at 23:32
  • Also my k8 cluster and the jenkins master are running on the same host(VM) so do we need to still generate the certificate for it? Jenkins would have created a certificate of its own for other users to access. Can we use that? (sorry if its a bit noobish Q). Just wanted to clarify this – Prashant Sep 20 '17 at 00:11
  • Hi - I have modified my question with what i have tried after your suggestion. It still is the same issue – Prashant Sep 20 '17 at 03:04
  • Repeated this exercise again by creating a security context, with no luck. Not sure if i have to create a ClusterRoleBinding role... – Prashant Sep 23 '17 at 00:25
  • I tested in my cluster it worked. let me edit and update my post with command I used. – sfgroups Sep 26 '17 at 01:54
  • Thank you for validation. Yes, an update from my side too. It worked from command line but when it comes to adding the cloud from Jenkins master(In UI) which is sitting outside of K8 cluster it gave me the same "anonymous" error. So my assumption is that we have to create a clusterrolebinding for actual jenkins integration. Please do let me know if you manage to add it. – Prashant Sep 26 '17 at 02:56
  • https://stackoverflow.com/questions/40197607/can-i-use-jenkins-kubernetes-plugin-when-jenkins-server-is-outside-of-a-kubernet follow this I have similar problem, this solves my problem. – Vaibhav Jain Dec 18 '17 at 13:36