Comments (11)
rajansandeep
commented on June 14, 2024
0319 07:09:59.530761 1 reflector.go:134] github.com/coredns/coredns/plugin/kubernetes/controller.go:322: Failed to list *v1.Namespace: Unauthorized
Unauthorized errors mean the authentication credentials being used are not valid.
from kubernetai.
rajansandeep
commented on June 14, 2024
This is my coredns kubernetai config (replaced kubernetes default block), the rest is coredns defaults
Is there a reason to use kubernetai instead of the default kubernetes plugin, since it seems you have only one zone cluster.local
Nvm, corefile seems valid.
from kubernetai.
offzale
commented on June 14, 2024
I am using kubernetai to be able to use the plugin more than once in the server block
Unauthorized errors mean the authentication credentials being used are not valid.
You're right, so I wonder if I can really make either this or kubernetes plugin work with EKS. Since the typical authentication method used to access EKS clusters is not using keys but aws-iam-authenticator
from kubernetai.
chrisohaver
commented on June 14, 2024
In general, "Unauthorized" means that the user identity is successfully authenticated, but not authorized to access the resource requested ...
May want to double check that the user account has the list permission for the Namespace resource in RBAC.
from kubernetai.
offzale
commented on June 14, 2024
In general, "Unauthorized" means that the user identity is successfully authenticated, but not authorized to access the resource requested ...
May want to double check that the user account has the
listpermission for theNamespaceresource in RBAC.
I understand what you describe as a Forbidden error, and Unauthorized as when the server does not accept the credentials passed. Nevertheless, I disabled the certificate I am using on the AWS user and tried again using the same credentials (this time they are not valid) and still get the same Unauthorized error.
The way I am authenticating to EKS at the moment is by using credentials that can do a PassRole action to the role assigned to the k8s EKS cluster. So you first need a way to authenticate to the AWS account, and then switch to the Role that has permissions on that cluster. I didn't see any plugin in coredns that supports such authentication yet, since it would be quite custom just for accessing to EKS clusters.
Anyone aware of any other way to authenticate to EKS clusters that can work when connecting to them from any coredns plugin?
from kubernetai.
chrisohaver
commented on June 14, 2024
Ah, OK thanks. In general there is a distinction between authorization and authentication... but it seems that k8s is blurring the terminology in this error message.
from kubernetai.
johnbelamaric
commented on June 14, 2024
CoreDNS uses standard client-go libraries to authenticate when using the
`kubeconfig` option. Supported auth plugins are here:
https://github.com/coredns/coredns/blob/master/plugin/kubernetes/setup.go#L26
Is there a client-go auth plugin for AWS? I don't see one here:
https://github.com/kubernetes/client-go/tree/master/plugin/pkg/client/auth
How does kubectl authenticate? If you are using a cert, can you connect
using kubectl from a pod?
…On Wed, Mar 20, 2019 at 5:52 AM chrisohaver ***@***.***> wrote:
Ah, OK thanks. In general there is a distinction between authorization and
authentication... but it seems that k8s is blurring the terminology in this
error message.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#20 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AJB4s-9psKd2iQNLJREC7C8QOC_ujSt2ks5vYi8DgaJpZM4b7oez>
.
from kubernetai.
johnbelamaric
commented on June 14, 2024
@chrisohaver this authorized/authenticated error is an ancient HTTP issue:
https://httpstatuses.com/401
On Thu, Mar 21, 2019 at 4:25 PM John Belamaric <[email protected]>
wrote:
… CoreDNS uses standard client-go libraries to authenticate when using the
`kubeconfig` option. Supported auth plugins are here:
https://github.com/coredns/coredns/blob/master/plugin/kubernetes/setup.go#L26
Is there a client-go auth plugin for AWS? I don't see one here:
https://github.com/kubernetes/client-go/tree/master/plugin/pkg/client/auth
How does kubectl authenticate? If you are using a cert, can you connect
using kubectl from a pod?
On Wed, Mar 20, 2019 at 5:52 AM chrisohaver ***@***.***>
wrote:
> Ah, OK thanks. In general there is a distinction between authorization
> and authentication... but it seems that k8s is blurring the terminology in
> this error message.
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <#20 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AJB4s-9psKd2iQNLJREC7C8QOC_ujSt2ks5vYi8DgaJpZM4b7oez>
> .
>
from kubernetai.
offzale
commented on June 14, 2024
@johnbelamaric you're right, I don't see any AWS compatible client-go auth-plugin either. This is the EKS authentication and authorization workflow:
https://docs.aws.amazon.com/eks/latest/userguide/managing-auth.html
It authenticates first to AWS, then RBAC checks if that IAM entity has permissions to run the kubectl command. So the authentication is not made using certs but AWS credentials.
from kubernetai.
chrisohaver
commented on June 14, 2024
@johnbelamaric, yes thanks for that. makes sense. me being dense. @offzale, my apologies for misleading you.
from kubernetai.
offzale
commented on June 14, 2024
@chrisohaver no problem, it could have been the problem also. So was good to check to make sure it wasn't. I am afraid that it is what @johnbelamaric spotted, there is no auth plugin for AWS yet.
from kubernetai.
Related Issues (20)
- Cannot compile with coredns v1.2.5 HOT 4
- Health reporting HOT 1
- Can you please expand the README a little? HOT 15
- Error during parsing: Unknown directive 'kubernetai' HOT 16
- Unable to build coredns image with kubernetai HOT 14
- Remote k8s dns entries are failing intermittently (Host not found: 3(NXDOMAIN)) HOT 97
- Unable to configure ignoring SERVFAIL HOT 7
- Metrics/Prometheus HOT 1
- Option to serve external IPs HOT 2
- How can I become a project contributor for CoreDNS? HOT 3
- Are there any metrics or logs which we should aggregate while running in production? HOT 1
- coredns build failed with kubernetai HOT 2
- why kubernetai?
- Problem with compiling older versions 1.6.6, 1.7.0 HOT 2
- SERVFAIL on fallthrough to forward HOT 6
- coredns build failed with kubernetai HOT 1
- Extend documentation for new users HOT 1
- Zone Transfer
- Under syntax in README.md is a dead link HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetai.