How to use "kubectl" command instead of "sudo kubectl"

Question

For every command with kubectl I need to use sudo kubectl.

I understand the security perspective but I am working on a test environment and I want to be able use it without sudo.

I tried to run sudo -i and use the root account to runkubectl get pods but I received:

The connection to the server localhost:8080 was refused - did you
specify the right host or port?

I noticed that when I was playing with https://labs.play-with-k8s.com, the user is root and I can run kubectl freely.

I wanted to have the same thing on my Ubuntu machine with my Minikube.

When I runkubectl get pods with my regular account I received the error:

error: unable to read client-key /home/myuser/.minikube/client.key for minikube due to open /home/myuser/.minikube/client.key: permission denied

I supposed there are two ways:
1. Give everyone access to /home/myuser/.minikube/
2. Give my account permissions to run kubectl without sudo

EDIT:
Following @Konstantin Vustin request, here are the requested information:

myuser@ubuntu:/usr/local/bin$ ls -l  $(which kubectl)
-rwxrwxr-x 1 myuser myuser 54308597 Jun 13 05:21 /usr/local/bin/kubectl

myuser@ubuntu:/usr/local/bin$ ls -la ~ | grep kube
drwxr-xr-x  5 myuser myuser   4096 Jun 17 02:25 .kube
drwxrwxr-x 10 myuser myuser   4096 Jun 13 05:18 .minikube

myuser@ubuntu:/usr/local/bin$ ls -l ~/.kube
total 24
drwxr-xr-x  3 root  root  4096 Jun 13 05:26 cache
-rw-------  1 myuser myuser 911 Jun 13 05:27 config
drwxrwxr-x  3 myuser myuser 4096 Jul 11 01:37 http-cache

could you show the output: `ls -l $(which kubectl)` and `ls -la ~ | grep kube` and `ls -l ~/.kube`? — Konstantin Vustin, Jul 11 '18 at 08:31
Before you make any changes to your system, try running: " minikube kubectl get pods". If it works, set the alias for kubectl to *minikube kubectl* — joat, Nov 20 '22 at 15:43
Another possible cause it that you're non-root user isn't allowed to run Docker commands. — joat, Nov 20 '22 at 15:44

Webber · Accepted Answer · 2019-05-19T12:41:50.270

30

Fix file permissions

Most likely your kubectl files are not owned by your user.

You can set these permissions using below command.

sudo chown -R $USER $HOME/.kube

Run kubectl with sudo

Alternatively you can run kubectl as sudo user using a persistent sudo shell.

sudo -s

then run your kubectl commands

kubectl get pods

kubectl describe <resource_type> <resource_name>

finally exit the sudo shell

exit

edited May 19 '19 at 12:41

answered Jul 11 '18 at 08:19

Webber

4,672
4
29
38

I tried your suggestion now and I still receives `permission denied` – E235 Jul 11 '18 at 08:24
1

Actually , no. Maybe because I run `chmod u+s kubectl` ? – E235 Jul 11 '18 at 08:32
OK, I change it back to the original permissions: `chmod 775 kubectl` and now it works with `sudo -s`. Great. This is what I wanted. thanks – E235 Jul 11 '18 at 08:37
Try reinstalling kubectl following [official documentation](https://kubernetes.io/docs/tasks/tools/install-kubectl/). Then try the answer again. – Webber Jul 11 '18 at 08:37
1

After `sudo chown -R $USER $HOME/.kube` if you are still getting `permission denied` error, exit the shell, open a new terminal it should start working – Ritesh Jan 19 '21 at 08:59

score 9 · Answer 2 · answered Jul 11 '18 at 10:36

You don't need to (and shouldn't) run kubectl with sudo. kubectl doesn't need any special permissions, and is interacting entirely with a remote server over an HTTPS connection. Kubernetes tends to take over the system it runs on, so even if you somehow were running kubectl against a local apiserver, being logged into the node at all would be odd and you could do the same level of administration remotely.

If you have been running it under sudo, it might have changed the ownership of some files to be inaccessible, and you can fix this (once) with

sudo chown -R $USER $HOME/.kube

(In your listing, ~/.kube/cache is owned by root, not by myuser.)

Eugene Lopatkin · Answer 3 · 2019-05-13T12:04:27.693

Ansible way to make kubectl able to run without sudo:

- name: Setup kubeconfig for user
  become: no
  command: "{{ item }}"
  with_items:
    - mkdir -p /home/$USER/.kube
    - sudo cp -i /etc/kubernetes/admin.conf /home/$USER/.kube/config
    - sudo chown $USER:$USER /home/$USER/.kube/config

Or you could run this commands manually:

mkdir -p /home/$USER/.kube
cp -i /etc/kubernetes/admin.conf /home/$USER/.kube/config
chown $USER:$USER /home/$USER/.kube/config

score 6 · Answer 4 · answered Aug 20 '22 at 10:01

6

If anyone is wondering for k3s, use the following:

sudo chmod 644 /etc/rancher/k3s/k3s.yaml

After this, you can simply use kubectl rather than sudo kubectl.

answered Aug 20 '22 at 10:01

waqasahmed

3,555
6
32
52

score 4 · Answer 5 · answered Sep 30 '18 at 19:10

I had the same issue. It is suggested (by minikube) to change the ownership and permissions of ~/.kube and ~/.minikube after the installation.

sudo mv /root/.kube $HOME/.kube # this will write over any previous configuration
sudo chown -R $USER $HOME/.kube
sudo chgrp -R $USER $HOME/.kube

sudo mv /root/.minikube $HOME/.minikube # this will write over any previous configuration
sudo chown -R $USER $HOME/.minikube
sudo chgrp -R $USER $HOME/.minikube

prashant · Answer 6 · 2019-06-13T06:38:02.247

2

Check if proxy is set, if yes then set no_proxy for localhost and cluster server IP( which you can find in ~/.kube/config file server: https://192.168.127.3:6443) in .bashrc or any other environment variable file.

no_proxy=localhost, 192.168.127.3

edited Jun 13 '19 at 06:38

answered Feb 07 '19 at 07:12

prashant

2,808
5
26
41

score 1 · Answer 7 · edited Aug 24 '22 at 15:38

1

The most easiest way is to make an alias:

alias kubectl='sudo kubectl

edited Aug 24 '22 at 15:38

Ali

922
1
9
24

answered Oct 14 '21 at 00:38

Akm Islam

21
2

like this one, clean and easy – Senzo Malinga Nov 13 '22 at 12:59

Ali · Answer 8 · 2022-08-22T16:33:42.737

0

If you are using kubeadm, just follow the commands:

Create .kube folde
```
mkdir -p ~/.kube
```

Copy admin.conf to this folder

sudo cp -i /etc/kubernetes/admin.conf ~/.kube/config

Change owner of this file to ourselves

sudo chown $(id -u):$(id -g) ~/.kube/config

Now everything is good, and we don't have to use sudo or --kubeconfig
```
kubectl get nodes
```

Source:

Certified Kubernetes Administrator

edited Aug 22 '22 at 16:33

answered Aug 20 '22 at 10:30

Ali

922
1
9
24

score 0 · Answer 9 · answered Nov 13 '22 at 17:22

Change the owner on your installation

locate where this is installed
Change owner to your user
Test with version argument

# 1
$ whereis kubectl
kubectl: /usr/bin/kubectl /usr/local/bin/kubectl
$ ll /usr/bin/kubectl
-rwxr-xr-x 1 root root 45015040 Nov 10 10:51 /usr/bin/kubectl*
# 2
$ sudo chown $USER:$USER /usr/bin/kubectl
# 3
$ kubectl version --short
Flag --short has been deprecated, and will be removed in the future. The --short output will become the default.
Client Version: v1.25.4
Kustomize Version: v4.5.7

score -5 · Answer 10 · answered Jul 11 '18 at 08:11

-5

Try setuid:

chmod u+s kubectl

The keys can be read by kubectl, while not open to everyone.

answered Jul 11 '18 at 08:11

Kun Li

2,570
10
15

1

I did it, it changed the `kubectl` permissions from `-rwxrwxr-x` to `-rwsrwxr-x` but I am still getting error `permission denied` when running `kubectl get pods` – E235 Jul 11 '18 at 08:15
kubectl should be owned by root – Kun Li Jul 11 '18 at 08:20
@KunLi where this requirement is documented? – Konstantin Vustin Jul 11 '18 at 09:58
Making random binaries setuid root isn't actually a good idea. In the case of `kubectl`, I could use an intermediate configmap to read arbitrary files off the local host, which would be bad. – David Maze Jul 11 '18 at 10:38

How to use "kubectl" command instead of "sudo kubectl"

10 Answers10