0

I had a friend grant me access to his kube cluster (hosted on IBM Cloud).

I can login via the IBM Cloud console

Access to Worker node

However when I try to access them via the kubectl: kubectl get nodes

results in an error message:

Error from server (Forbidden): nodes is forbidden: User "https://iam.ng.bluemix.net/kubernetes#" cannot list nodes at the cluster scope.

Why would the access (RBACs) be different between the console and the CLI?

Manglu
  • 10,744
  • 12
  • 44
  • 57
  • How did you get the config for `kubectl`? One possible reason could be that the current user in the CLI mode doesn't have cluster-role-binding permission context and cluster? – code Jun 06 '18 at 06:12
  • The config is obtained via the ibmcloud cs cluster-config devworks-cluster command. – Manglu Jun 06 '18 at 08:46
  • What IAM role do you have in your friend's cluster? – bhpratt Aug 17 '18 at 20:42

3 Answers3

1

I am the dev lead for the IBM Kubernetes Service. You need to generate the RBAC on the cluster first. You can do this 2 ways.

  1. Goto the access tab in the UI and click download cluster config.
  2. Or use the cli and run ibmcloud ks cluster-config xxxx where xxxx is the id of the cluster.
Jeff Sloyer
  • 4,899
  • 1
  • 24
  • 48
0

If the user name in User "https://iam.ng.bluemix.net/kubernetes#" has any capitalization, I'd suggest opening a ticket w/IBM. There are some cases where internal users have capital letters in their user name, which causes authentication issues.

In the meantime, you should still be able to use the CLI.

bhpratt
  • 374
  • 1
  • 6
0

As mentioned by code, you may not have enough privileges configured for your user in RBAC. Perhaps, you have a typo in the cluster-role-binding configuration for that user.

In this case, you have passed the authentication phase, but you have been blocked on the authorization phase trying to execute the “get” command.

VAS
  • 8,538
  • 1
  • 28
  • 39