"pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Service: Unauthorized"

Question

I have set up a private cluster on GKE with k8s version 1.18.12-gke.1206 and Access to cluster endpoint is set to Public endpoint access enabled, authorized networks disabled. I'm running an ingress controller on this cluster of type https://kubernetes.github.io/ingress-nginx. Which uses a configMap to store configuration. But somehow any request coming to this controller, is giving an Unauthorized error with logs as:

2021-02-23 11:24:59.435 IST     "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Endpoints: Unauthorized"
2021-02-23 11:24:45.072 IST     "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"
2021-02-23 11:24:40.727 IST     "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.ConfigMap: Unauthorized"
2021-02-23 11:24:40.132 IST     "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1beta1.Ingress: Unauthorized"
2021-02-23 11:24:37.318 IST     "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Pod: Unauthorized"
2021-02-23 11:24:37.038 IST     "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Service: Unauthorized"
2021-02-23 11:24:29.891 IST     "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"
2021-02-23 11:24:26.263 IST     "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Secret: Unauthorized"
2021-02-23 11:24:18.259 IST     "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"
2021-02-23 11:24:09.907 IST     "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"
2021-02-23 11:24:06.612 IST     "pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Endpoints: Unauthorized"
2021-02-23 11:24:02.078 IST     "error retrieving resource lock sb-system/ingress-controller-leader-nginx: Unauthorized"

we tried to follow the steps mentioned here. and we are getting

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   233  100   233    0     0  17282      0 {-:--:-- --:--:-- --:--:--     0
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403
}--:--:-- --:--:-- --:--:-- 17923

at the last Step which is: kubectl exec test -- curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $TOKEN_VALUE" https://10.0.0.1

I'm new to GCP and K8s, can't figure out what wrong I'm doing.

Hang · Answer 1 · 2021-02-24T03:13:21.287

3

Did you check whether automountServiceAccountToken had been set to false on your ServiceAccount? If so, set it to true might help.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
automountServiceAccountToken: false # set to true

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server

edited Feb 24 '21 at 03:13

answered Feb 23 '21 at 09:08

Hang

956
6
12

If my answer works for you, please thumb it up so it can help others. Thanks! – Hang Feb 24 '21 at 03:15

"pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1.Service: Unauthorized"

1 Answers1