2
votes

I am trying to add Kubernetes as cloud to Jenkins server with the appropriate Kubernetes URL and other details. When i add the details and test the connection i get the following error

Error connecting to https://192.168.X.XX:6443: Failure executing: GET at: https://192.168.X.XX:6443/api/v1/namespaces/default/pods. Message: User "system:anonymous" cannot list pods in the namespace "default".."

I tried to perform curl with --insecure option but the same following error is logged.

Message: User "system:anonymous" cannot list pods in the namespace "default".."

I tried to add jenkins and the user credentials to login to jenkins as clusteradminrole using the following kubectl command

kubectl create rolebinding jenkins-admin-binding --clusterrole=admin --user=jenkins--namespace=default

But still the same error.

Anything is missing?

EDIT 1: Have tried to do the following as suggested

openssl genrsa -out jenkins.key 2048

openssl req -new -key jenkins.key -out jenkins.csr -subj "/CN=jenkins/O=admin_jenkins"

openssl x509 -req -in jenkins.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out jenkins.crt -days 500

kubectl config set-credentials jenkins --client-certificate=/root/pods/admin_jenkins/.certs/jenkins.crt --client-key=/root/pods/admin_jenkins/.certs/jenkins.key

kubectl config set-context jenkins-context --cluster=kubernetes --namespace=default --user=jenkins

kubectl create -f role.yaml (Role file as described)

kubectl create -f role-binding.yaml

even after this

kubectl --context=jenkins-context get deployments 
gives the following error
"Error from server (Forbidden): User "jenkins" cannot list deployments.extensions in the namespace "default". (get deployments.extensions)"

Update 2:

after following above steps 
"kubectl --context=jenkins-context get deployments" was successful.

 i did the whole exercise after doing a kubeadm reset and it worked

But the problem still remains of integrating K8 with Jenkins when i am trying to add it as a cloud using its plugin.

1

1 Answers

2
votes

Did you define the role admin? if not define the admin role. below document your refer it.

https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/

Update: 1. you can create file role.yaml like this and create role. then run kubectl apply -f role.yaml

 kind: Role
  apiVersion: rbac.authorization.k8s.io/v1beta1
  metadata:
    namespace: default
    name: admin
  rules:
  - apiGroups: ["", "extensions", "apps"]
    resources: ["deployments", "replicasets", "pods"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]

you need to pass the client certificate with this role to authenticate.

from your second question your trying to use this account to authenticate jenkin application user. I am not sure this method will work for you.

update on 9/25/17

Username: admin
Group: jenkins


 openssl genrsa -out admin.key 2048
 openssl req -new -key admin.key -out admin.csr -subj "/CN=admin/O=jenkins"

 #Run this as root user in master node
 openssl x509 -req -in admin.csr -CA /etc/kubernetes/pki/ca.crt  -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out admin.crt -days 500

 mkdir .certs/
 mv admin.* .certs/
 kubectl config set-credentials admin --client-certificate=/home/jenkin/.certs/admin.crt  --client-key=/home/jenkin/.certs/admin.key
 kubectl config set-context admin-context --cluster=kubernetes --namespace=jenkins --user=admin 

Save this in the file and create role

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: jenkins
  name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: deployment-manager-binding
  namespace: jenkins
subjects:
- kind: User
  name: admin
  apiGroup: ""
roleRef:
  kind: Role
  name: deployment-manager
  apiGroup: ""

Run the get pods command

kubectl --context=admin-context get pods