[caasp-beta] [Newsletter] Re: RE : kubectl requires username and password

Robert Roland robert.roland at suse.com
Tue Oct 3 13:24:45 MDT 2017


There will be three Dex pods, all spread out across the worker nodes. It 
certainly seems like your cluster installation failed, even if Velum 
didn't report that.

 From your master node, what is the output of:

kubectl get pods --namespace=kube-system

and:

kubectl get roles --namespace=kube-system

     - Rob

On 10/03/2017 11:45 AM, Ns, Rushi wrote:
>
> Hi Robert,
>
> I don’t think bootstrap failed  as the cluster completed without any 
> errors and VELUM shows all active.
>
> Also on the master node, I see that dex.yaml and roles.yaml which all 
> exist but not sure if the PODS running ..
>
> In a worst case I will try to rebuild the cluster to see if it works. 
> By the way , in which node the DEX was running, I checked all my ndoes 
> and I can’t find DEX running as POD ?
>
> lvsusekub5:~ #   ls -ltr
>
> total 16
>
> drwxr-xr-x 1 root root    0 Jun 27 08:59 bin
>
> drwxr-xr-x 1 root root   36 Sep 26 02:13 inst-sys
>
> -rw-r--r-- 1 root root  156 Sep 26 04:18 flannel-config.json
>
> -rw-r--r-- 1 root root 3034 Sep 26 04:19 dex.yaml
>
> -rw-r--r-- 1 root root 1161 Sep 26 04:19 roles.yaml
>
> -rw-r--r-- 1 root root 3295 Oct  3 18:37 kubeconfig
>
> Best Regards,
>
> Rushi.
>
> I MAY BE ONLY ONE PERSON, BUT I CAN BE ONE PERSON WHO MAKES A DIFFERENCE
>
> *From: *Robert Roland <rroland at suse.com>
> *Date: *Tuesday, October 3, 2017 at 11:38 AM
> *To: *"caasp-beta at lists.suse.com" <caasp-beta at lists.suse.com>, 
> "DElder at novacoast.com" <DElder at novacoast.com>, Rushi NS 
> <rushi.ns at sap.com>, Paul Gonin <PGonin at suse.com>, Rob de Canha-Knight 
> <rob.decanha-knight at suse.com>
> *Subject: *Re: [caasp-beta] [Newsletter] Re: RE : kubectl requires 
> username and password
>
> That "Forbidden" error implies that your cluster bootstrap didn't 
> complete successfully. Please submit a bug with a full supportconfig dump.
>
> Dex is set up by the bootstrap process. This error means that one of 
> the steps in setting up Dex failed.
>
> Thanks,
>
> Rob
>
>
>
> >>> "Ns, Rushi" <rushi.ns at sap.com> 10/03/17 11:16 AM >>>
>
> Hi Paul,
>
> Thank you . I have tried the same one with latest caasp-cli and the 
> result is same.  FYI, I setup 3 masters with 6 workers and I tried all 
> 3 masters hostname one by one with the command line caasp-cli but 
> nothing is really working.
>
> Do I have to setup any DEX container on the cluster ? or it does 
> embedded part of it and why it is asking me DEX”
>
> caasp-cli login -s https://hostname:6443 -u rushi at id.com -p xxxxxx
>
> Error: unable to find Dex service in CaaS Platform cluster, error was 
> Get https://hostname:6443/api/v1/namespaces/kube-system/services/dex: 
> Forbidden
>
> Best Regards,
>
> Rushi.
>
> I MAY BE ONLY ONE PERSON, BUT I CAN BE ONE PERSON WHO MAKES A DIFFERENCE
>
> *From: *Paul Gonin <paul.gonin at suse.com>
> *Date: *Tuesday, October 3, 2017 at 8:55 AM
> *To: *Rob de Canha-Knight <rob.decanha-knight at suse.com>, Rushi NS 
> <rushi.ns at sap.com>, "caasp-beta at lists.suse.com" 
> <caasp-beta at lists.suse.com>, Dan Elder <DElder at novacoast.com>
> *Subject: *Re: [caasp-beta] [Newsletter] Re: RE : kubectl requires 
> username and password
>
> Hi,
>
> You need to check that between master node and admin node the port 389 
> is open - for example if you're using OpenStack you need the check 
> that the security group is properly defined to allow this port
>
> rgds
>
> Paul
>
> Le mardi 03 octobre 2017 à 15:17 +0000, Rob de Canha-Knight a écrit :
>
>     Rushi.
>
>
>     The details I provided below on caasp-cli is how I’ve been using
>     caasp-cli since day one.
>
>     I’ve just tried again on a new cluster and running
>
>     caasp-cli login -s https://master.caaspdemo.geeko.ninja:6443 -u
>     rob.decanha-knight at suse.com -p mypassword
>
>     Where –u is the email address of the user I created during velum
>     first startup/login.
>
>     Worked fine for me.
>
>     I don’t have any other documents to hand (other than the attached)
>     around logging in so all I can personally suggest is to make sure
>     you’re using https and port 6443 of the*kubernetes master* after -s.
>
>     I’ve also attached the main bit of documentation we have around
>     the caasp-cli client (which will make it’s way into the version 2
>     final release).
>
>     I would suggest trying again from scratch with a new cluster
>     instance of RC1 (including downloading and installing the updated
>     caasp-cli client available from
>     https://github.com/kubic-project/caasp-cli/releases as this one is
>     working fine for me).
>
>     Make a note of every command you are running and the output it
>     provides and you can send those details to this list as at the
>     moment the information in the thread is a bit scattered and I
>     can’t tell accurately what’s going on or what’s being done by the
>     user.
>
>     Yes there are a lot of changes in this release mainly an updated
>     k8s version and a feature much requested by customers (I remember
>     during 1.0 betas you also requested for user management and this
>     is how we’ve implemented it). I’ve also attached the details on
>     how to create/manage additional user accounts through ldap as well
>     as the caasp-cli guidance that we have.
>
>     As one of our closest partners you also have the option of
>     reaching out to your partner sales engineer/rep for your region
>     and discussing it directly with them. They should be able to go
>     onsite and help you if asked to get things up and running for your
>     team.
>
>     All the best,
>
>     Rob
>
>     ----
>
>     *Rob de Canha-Knight*
>     EMEA Platform and Management Technical Strategist
>     SUSE
>     rob.decanha-knight at suse.com <mailto:rob.decanha-knight at suse.com>
>
>     (Fuze/VOIP) +44 (0) 1635 937689
>     (M) +44 (0) 7392 087303
>
>     (TW) rssfed23 <https://twitter.com/rssfed23>
>
>     ----
>
>     5168
>
>     <https://twitter.com/suse><https://www.linkedin.com/in/rssfed23/><https://www.facebook.com/rssfed23><https://plus.google.com/+SUSE/posts><https://www.youtube.com/user/susevideo>
>
>     *From: *"Ns, Rushi" <rushi.ns at sap.com>
>     *Date: *Tuesday, 3 October 2017 at 16:07
>     *To: *"caasp-beta at lists.suse.com" <caasp-beta at lists.suse.com>, Dan
>     Elder <DElder at novacoast.com>, Rob de Canha-Knight
>     <rob.decanha-knight at suse.com>
>     *Subject: *Re: [caasp-beta] [Newsletter] Re: RE : kubectl requires
>     username and password
>
>     Hi Rob,
>
>     Whatever you have mentioned is not really working in reality.
>     Using CAASP-cli is not at all authenticating and I spent 2 days to
>     find a way to connect to cluster.
>
>
>     VELUM is fine, I can logon with registed email but nothing can be
>     done after that such as installing kubernetes dashboard is not  ?
>     first of all need to know how to connect with CAASP-CLI because
>     there is no users created other than VELUM web login which was
>     registered.
>
>     Can you provide some steps how you have doing with caasp-cli..i
>     see lot of things changed on this new release.
>
>     Best Regards,
>
>     Rushi.
>
>     I MAY BE ONLY ONE PERSON, BUT I CAN BE ONE PERSON WHO MAKES A
>     DIFFERENCE
>
>     *From: *<caasp-beta-bounces at lists.suse.com> on behalf of Rob de
>     Canha-Knight <rob.decanha-knight at suse.com>
>     *Date: *Tuesday, October 3, 2017 at 6:57 AM
>     *To: *Dan Elder <DElder at novacoast.com>,
>     "caasp-beta at lists.suse.com" <caasp-beta at lists.suse.com>
>     *Subject: *Re: [caasp-beta] [Newsletter] Re: RE : kubectl requires
>     username and password
>
>     Hi Dan.
>
>     In the log you’ve provided you’re using the admin server for the
>     –s argument I believe.
>
>     You must use https://<your-master-fqdn>:8443 as the address for
>     the k8s master node (noting correct port and https).
>
>     Please let us know how you get on.
>
>     Rob
>
>     ----
>
>     *Rob de Canha-Knight*
>     EMEA Platform and Management Technical Strategist
>     SUSE
>     rob.decanha-knight at suse.com <mailto:rob.decanha-knight at suse.com>
>
>     (Fuze/VOIP) +44 (0) 1635 937689
>     (M) +44 (0) 7392 087303
>
>     (TW) rssfed23 <https://twitter.com/rssfed23>
>
>     ----
>
>     68
>
>     <https://twitter.com/suse><https://www.linkedin.com/in/rssfed23/><https://www.facebook.com/rssfed23><https://plus.google.com/+SUSE/posts><https://www.youtube.com/user/susevideo>
>
>     *From: *<caasp-beta-bounces at lists.suse.com> on behalf of Dan Elder
>     <DElder at novacoast.com>
>     *Date: *Tuesday, 3 October 2017 at 05:15
>     *To: *"caasp-beta at lists.suse.com" <caasp-beta at lists.suse.com>
>     *Subject: *Re: [caasp-beta] [Newsletter] Re: RE : kubectl requires
>     username and password
>
>     I haven't had any luck authentication with caasp-cli
>     unfortunately.  The credentials I supply work fine for Velum but
>     caasp-cli says they're invalid (output attached).  Is there some
>     log I can pull from the admin node or somewhere else to
>     troubleshoot this?  I've done 2 installs and gotten the same
>     result both times.
>
>     Thanks,
>     Dan
>
>
>     On 09/27/2017 08:04 AM, Paul Gonin wrote:
>
>         Hi,
>
>         It should be on the media so you can install it on the admin node
>
>         It is installed by default on admin node.
>
>         You can also get (currently) rpms for different openSUSE/SUSE
>         flavors
>
>         https://build.opensuse.org/repositories/devel:CaaSP:Head:ControllerNode/caasp-cli
>
>         And there is also a windows Build from Rob
>
>         https://github.com/rssfed23/caasp-cli-windows/releases
>
>         Tested / works but not supported (yet, but I assume to come)
>
>         Once you have caasp-cli
>
>         export KUBECONFIG=<pathtokubeconfig>(set KUBECONFIG=kubeconfig
>         in windows cmd shell)
>
>         caasp-cli login -u caasp-user -p caasp-password -s
>         https://caasp.fqdn:6443 <https://qa-k8s.caasp.suse.net:6443>
>
>         and then you can use kubectl as previously
>
>         For caasp-user and caasp-password you can use caasp admin
>         credentials.
>
>         You can also create users in local ldap
>
>         rgds
>
>         Paul
>
>         Le mercredi 27 septembre 2017 à 14:52 +0000, Ns, Rushi a écrit :
>
>             Thanks, where can I download . I see from github I can’t
>             download the link .
>
>             https://github.com/kubic-project/caasp-cli
>
>             Best Regards,
>
>             Rushi.
>
>             I MAY BE ONLY ONE PERSON, BUT I CAN BE ONE PERSON WHO
>             MAKES A DIFFERENCE
>
>             *From: *Paul Gonin <pgonin at suse.com> <mailto:pgonin at suse.com>
>             *Date: *Tuesday, September 26, 2017 at 1:31 PM
>             *To: *"caasp-beta at lists.suse.com"
>             <mailto:caasp-beta at lists.suse.com>
>             <caasp-beta at lists.suse.com>
>             <mailto:caasp-beta at lists.suse.com>, Rushi NS
>             <rushi.ns at sap.com> <mailto:rushi.ns at sap.com>
>             *Subject: *RE : [caasp-beta] kubectl requires username and
>             password
>
>             Hi,
>
>             With RC1, RBAC is available
>
>             Consequence is that you have to use caasp-ctl to login to
>             CaaSP and modify your kubectl and inject credentials in it.
>
>             Rgds
>
>             Paul
>
>             -------- Message d'origine --------
>
>             De : "Ns, Rushi" <rushi.ns at sap.com> <mailto:rushi.ns at sap.com>
>
>             Date : 26/09/2017 22:04 (GMT+01:00)
>
>             À : SUSE Beta Program <beta-programs at lists.suse.com>
>             <mailto:beta-programs at lists.suse.com>,
>             caasp-beta at lists.suse.com <mailto:caasp-beta at lists.suse.com>
>
>             Objet : [caasp-beta] kubectl requires username and password
>
>
>             >>> "Ns, Rushi" 09/26/2017 21:04 >>>
>
>             Hi
>
>             I setup new cluster with this release and everything
>             worked. I have 3 masters/10 workers ..looks fine VELUM web
>             page as well and I have downloaded kubeconfig and tried to
>             do some workload test but issue with access cluster.
>
>             I have issue with using KUBECTL command line ..whatever
>             “kubectl” I run  requires permission. I setup velum with
>             my userid email and password, I thought it requires that
>             and I tried but its not ?
>
>             I have also tried root (linux) master/workers but it
>             doesn’t take that too?
>
>             Does anyone know what is the issue.
>
>             kubectl get cluster-info
>
>             kubectl get nodes
>
>             Please enter Username: rushi.ns at sap.com
>             <mailto:rushi.ns at sap.com>
>
>             Please enter Password: *********
>
>             Error from server (Forbidden): User "system:anonymous"
>             cannot list nodes at the cluster scope. (get nodes)
>
>             kubectl get nodes
>
>             Please enter Username: admin
>
>             Please enter Password: ********
>
>             Unable to connect to the server: x509: certificate is
>             valid for 172.24.0.1, 172.16.18.0, 127.0.0.1, 172.16.18.1,
>             10.48.164.142, not 10.48.164.144
>
>             kubectl get nodes
>
>             Please enter Username: root
>
>             Please enter Password: ********
>
>             Unable to connect to the server: x509: certificate is
>             valid for 172.24.0.1, 172.16.22.0, 127.0.0.1, 172.16.22.1,
>             10.48.164.141, not 10.48.164.144
>
>             Best Regards,
>
>             Rushi.
>
>             I MAY BE ONLY ONE PERSON, BUT I CAN BE ONE PERSON WHO
>             MAKES A DIFFERENCE
>
>             *From: *<caasp-beta-bounces at lists.suse.com>
>             <mailto:caasp-beta-bounces at lists.suse.com> on behalf of
>             SUSE Beta Program <beta-programs at lists.suse.com>
>             <mailto:beta-programs at lists.suse.com>
>             *Reply-To: *SUSE Beta Program
>             <beta-programs at lists.suse.com>
>             <mailto:beta-programs at lists.suse.com>
>             *Date: *Friday, September 22, 2017 at 7:48 AM
>             *To: *"caasp-beta at lists.suse.com"
>             <mailto:caasp-beta at lists.suse.com>
>             <caasp-beta at lists.suse.com> <mailto:caasp-beta at lists.suse.com>
>             *Subject: *[caasp-beta] [ANNOUNCE] SUSE Container as a
>             Service Platform 2 RC 1 is available!
>
>             Having trouble viewing this email? Please check the plain
>             text version of it with your mailer.
>
>             	
>
>             	
>
>             <https://www.suse.com/betaprogram/caasp-beta/>
>
>             	
>
>             We are happy to announce *SUSE CaaS Platform 2****Release
>             Candidate 1*!
>
>             	
>
>             *Download ›*
>             <https://www.suse.com/betaprogram/caasp-beta/#download>
>
>             	
>
>             Please check out our dedicated SUSE CaaS Platform Beta web
>             page <https://www.suse.com/betaprogram/caasp-beta/>, where
>             you will find all the information needed around SUSE CaaS
>             Platform Beta.
>
>             	
>
>
>                     What’s New with SUSE CaaS Platform 2 RC 1?
>
>               * *K8s Multi-Master*: Kubernetes Multi Master for
>                 building High-Availability clusters.
>               * *caasp-cli*: It's the new command line client for
>                 interacting with a CaaS Platform cluster. See for
>                 details <https://github.com/kubic-project/caasp-cli>.
>               * *Dex*: Dex is an identity service that uses OpenID
>                 Connect to drive authentication for other apps. See
>                 for details <https://github.com/coreos/dex>.
>               * *OpenLDAP2*: OpenLDAP2 running on an SLE12 container
>                 guest.
>
>
>                     Things to consider for this Beta?
>
>               * *DHCP*
>
>             Your DHCP server should provide resolveable hostnames. If
>             this is not the case like with libvirt/KVM, you should
>             consider providing one yourself by appending this kernel
>             parameter "hostname=HOSTNAME" during installation.
>
>             However, the kubeconfig file downloaded from the Dashboard
>             could contain an incorrect "server" hostname that should
>             be replaced with the IP address of your Master. For more
>             information read:
>             https://en.opensuse.org/SDB:Linuxrc#Network_Configuration
>
>               * *Autoyast/VMX-Images*
>
>             If you install via autoyast or one of the provided VMX
>             beta images (KVM,Xen,VMware,...) please set a password or
>             SSH key via cloud-init to be able to login.
>
>             *Release plan ›*
>             <https://www.suse.com/betaprogram/caasp-beta/#releases>
>
>             	
>
>             *Release Notes ›*
>             <https://www.suse.com/betaprogram/caasp-beta/#releasenotes>
>
>             	
>
>             *Documentation ›*
>             <https://www.suse.com/betaprogram/caasp-beta/#documentation>
>
>             Have fun beta testing!
>
>             Your SUSE Linux Enterprise Team
>
>             Please refer to our dedicated SUSE CaaSP Beta Program
>             <https://www.suse.com/betaprogram/caasp-beta/> webpage for
>             any general information. However, do not hesitate to
>             contact us at beta-programs at lists.suse.com
>             <mailto:beta-programs at lists.suse.com> if you have any
>             questions.
>
>             You received this email because you're signed up to get
>             updates from us. Click here to unsubscribe.
>             <mailto:beta-programs at lists.suse.com?subject=Unsubscribe%20from%20SUSE%20CaaSP%20Beta&body=Unsubscribe%20Unsubscribe%20from%20SUSE%20CaaSP%20Beta>
>
>             _______________________________________________
>
>             caasp-beta mailing list
>
>             caasp-beta at lists.suse.com <mailto:caasp-beta at lists.suse.com>
>
>             http://lists.suse.com/mailman/listinfo/caasp-beta
>
>
>
>
>
>
>         _______________________________________________
>
>         caasp-beta mailing list
>
>         caasp-beta at lists.suse.com <mailto:caasp-beta at lists.suse.com>
>
>         http://lists.suse.com/mailman/listinfo/caasp-beta
>
>     -- 
>
>     Senior Engineer
>
>     Linux Services Manager
>
>     Novacoast, Inc.
>
>     Mobile: (310) 243-6971
>
>     Office: (800) 949-9933 x1337
>
>     http://www.novacoast.com/
>
>     _______________________________________________
>
>     caasp-beta mailing list
>
>     caasp-beta at lists.suse.com <mailto:caasp-beta at lists.suse.com>
>
>     http://lists.suse.com/mailman/listinfo/caasp-beta
>
>
>
> _______________________________________________
> caasp-beta mailing list
> caasp-beta at lists.suse.com
> http://lists.suse.com/mailman/listinfo/caasp-beta

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 119301 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2959 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1202 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 792 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 766 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 758 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 946 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 804 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image009.png
Type: image/png
Size: 2961 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image010.png
Type: image/png
Size: 1204 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image011.png
Type: image/png
Size: 794 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image012.png
Type: image/png
Size: 768 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image013.png
Type: image/png
Size: 760 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image014.png
Type: image/png
Size: 948 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image015.png
Type: image/png
Size: 806 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171003/e405c7bf/attachment-0014.png>


More information about the caasp-beta mailing list