User \"system:anonymous\" cannot get path \"/apis/constraints.gatekeeper.sh/v1beta1//
steve-heslouin opened this issue ยท 8 comments
Hello, i wanted to try your dashboard so i could try runing it for my company, but that didn't worked.
On my local machine i used :
docker run -v ~/.kube/config:/home/gpm/.kube/config -p 8080:8080 quay.io/sighup/gatekeeper-policy-manager:v0.5.1
It loaded my kubeconfig file correctly, when i click "Get constraints status", it give me following error:
(403) Reason: Forbidden HTTP response headers: HTTPHeaderDict({'Audit-Id': '2b44e6b7-e43e-449b-a608-83d4347fde9e', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': 'e8915a47-326c-450c-af43-f297c36367a6', 'X-Kubernetes-Pf-Prioritylevel-Uid': '38bf4b6b-d54e-4289-b143-c225265af301', 'Date': 'Tue, 01 Mar 2022 13:36:38 GMT', 'Content-Length': '225'}) HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/apis/constraints.gatekeeper.sh/v1beta1//\"","reason":"Forbidden","details":{},"code":403}
[2022-03-01 13:27:34 +0000] [1] [INFO] Starting gunicorn 20.1.0
[2022-03-01 13:27:34 +0000] [1] [INFO] Listening at: http://0.0.0.0:8080 (1)
[2022-03-01 13:27:34 +0000] [1] [INFO] Using worker: gthread
[2022-03-01 13:27:34 +0000] [9] [INFO] Booting worker with pid: 9
[2022-03-01 13:27:34 +0000] [11] [INFO] Booting worker with pid: 11
[2022-03-01 13:27:38,405] INFO: RUNNING WITH AUTHENTICATION DISABLED
[2022-03-01 13:27:38,405] INFO: RUNNING WITH AUTHENTICATION DISABLED
[2022-03-01 13:27:38,407] INFO: Attempting init with KUBECONFIG from path '~/.kube/config'
[2022-03-01 13:27:38,407] INFO: Attempting init with KUBECONFIG from path '~/.kube/config'
[2022-03-01 13:27:38,691] ERROR: [Errno 2] No such file or directory: 'aws-iam-authenticator'
[2022-03-01 13:27:38,693] ERROR: [Errno 2] No such file or directory: 'aws-iam-authenticator'
I have gatekeeper 3.7 installed on my EKS cluster and its up and running.
gatekeeper-system gatekeeper-audit-59d4b6fd4c-lw8hj 1/1 Running 0 82d
gatekeeper-system gatekeeper-controller-manager-66f474f785-448pz 1/1 Running 0 82d
gatekeeper-system gatekeeper-controller-manager-66f474f785-895ng 1/1 Running 0 82d
gatekeeper-system gatekeeper-controller-manager-66f474f785-cl8sz 1/1 Running 0 82d
We use STS assume role and use the aws-auth mechanism provided by AWS, could that be the issue , as it seems the client run by default in anonymous, and ofc we don't provide access to anonymous user in our clusters
Thanks
Hello @steve-heslouin
You seem to be using https://github.com/kubernetes-sigs/aws-iam-authenticator to authenticate to EKS. GPM's docker image doesn't include the aws-aim-authenticator binary.
You could try mounting also the binary to somewhere in $PATH together with the KUBECONFIG when you run the docker image, maybe that's enough.
Another option is to build your own image for GPM adding the aws-aim-authenticator binary, with a Dockerfile like:
FROM curlimages/curl:7.81.0 as downloader
RUN curl https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.5.5/aws-iam-authenticator_0.5.5_linux_amd64 --output /tmp/aws-iam-authenticator
RUN chmod +x /tmp/aws-iam-authenticator
FROM quay.io/sighup/gatekeeper-policy-manager:v0.5.1
COPY --from=downloader --chown=root:root /tmp/aws-iam-authenticator /usr/local/bin/@ralgozino Thanks a lot for your feedback, let me try it and i will let you know ;)
@ralgozino
So i tried, and after having mounted the config and credentials file, i do not have error related to aws-iam-authenticator
I rather have this error:
ERROR: exec: plugin api version client.authentication.k8s.io/v1beta1 does not match client.authentication.k8s.io/v1alpha
DO you have an idea where that could come from?
Thanks a lot :)
What version of kubectl do you have installed?
Could you please check your kubeconfig and see if you have a section like this:
# [...]
users:
- name: kubernetes-admin
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
command: aws-iam-authenticator
args:
- "token"
- "-i"
- "REPLACE_ME_WITH_YOUR_CLUSTER_ID"
- "-r"
- "REPLACE_ME_WITH_YOUR_ROLE_ARN"
# no client certificate/key needed here!if you do, check that the apiVersion is client.authentication.k8s.io/v1beta1.
I think it could be a mismatch between the Kubernetes client version included in GPM and your kubeconfig format.
I would suggest trying with the unstable tag of GPM instead of v0.5.1 that has a newer version of the Kubernetes client.
Ok so i edited my kubeconfig to target v1beta1 instead and that worked great, i logged in and saw my constraints.
Thanks a lot @ralgozino , i will be testing it in dev envs, see how it goes, and if that work, well, we will surely
will propose PRs to help for any improvements ;)
Great to hear that!
We'll be waiting for your feedback ๐
name: arn:aws:eks:......
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- cluster_name
command: aws
env:
- name: AWS_PROFILE
value: dev
interactiveMode: IfAvailable
provideClusterInfo: false
Turns out i also had some cluster that were relying on aws cli to authenticate , and by adding it to your image, it also worked great, maybe that'd be cool to have those 2 binary installed by default ?
I need to think about it, as first thought, I would prefer not to include them in order to no couple GPM version to AWS's tooling. What we can do instead is to add documentation on how to do it so everyone can easily build the image with the versions they need.
EDIT: Because if we include AWS binaries we would need to include all the possible options also. the exec option in the kubeconfig files is generic. It allows you to use any executable.