No permissions to do anything starting on 1.14.4.

[nerusnayleinad]

I am creating a kubernetes cluster with kubeadm, and I have done this literally, may be 100 times, and I am getting permission issues from the very beginning.

The context:

So, I first tried with k8s 1.15.1, and I was getting the following error when tried installing pod network (bunch of them; 1 for each object):

Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=serviceaccounts", GroupVersionKind: "/v1, Kind=ServiceAccount"
Name: "calico-kube-controllers", Namespace: "kube-system"
Object: &{map["apiVersion":"v1" "kind":"ServiceAccount" "metadata":map["annotations":map["kubectl.kubernetes.io/last-applied-configuration":""] "name":"calico-kube-controllers" "namespace":"kube-system"]]}
from server for: "https://docs.projectcalico.org/v3.8/manifests/calico.yaml": serviceaccounts "calico-kube-controllers" is forbidden: User "system:node:master" cannot get resource "serviceaccounts" in API group "" in the namespace "kube-system": can only create tokens for individual service accounts

I noticed the user is different (why is my master node the user configured in the config file?):

system:node:master

And this user has no permissions for almost anything:

root@master:~# kubectl auth can-i create deploy
no

I wanted to configure the user, but I haven't kept kubeadm token, and to get the token I get permission errors too.

root@master:~# kubeadm token list
failed to list bootstrap tokens: secrets is forbidden: User "system:node:master" cannot list resource "secrets" in API group "" in the namespace "kube-system": No Object name found

So, I kept trying; the same scenario for 1.14.4. No permissions for anything.

Then I tried the last version that I had tried already, which is 1.14.3, and it worked as expected. The user is kubernetes-admin, and has permissions for everything:

root@master:~$ kubectl auth can-i create clusterrolebinding
yes

I wanted to check the release notes, but there is no much information, or I don't know interpret it. Does anyone have any information about what are the changes, or what am I doing wrong?

[neolit123]

getting a permission error during pod network setup, means you are trying to kubectl apply manifest files using a kubeconfig file which does not have the correct permissions.

make sure that your /etc/kubernetes/admin.conf is generated by kubeadm and contains kubernetes-admin as the user.

root@master:~# kubectl auth can-i create deploy

which kubeconfig is this command using?
try

root@master:~# KUBECONFIG=/etc/kubernetes/admin.conf kubectl auth can-i create deploy

I wanted to check the release notes, but there is no much information, or I don't know interpret it. Does anyone have any information about what are the changes, or what am I doing wrong?

AFAIK, there is no such change that breaks this between 1.14.4 and .3.

[nerusnayleinad]

Oh! may be I was using master node kubelet config file!? That's why system:node:master?

I'll test this tomorrow, in the office.

Thanks.