Question & Answer
Question
How can you troubleshoot "Unauthorized Errors" when you are using kubectl, the Kubernetes command line tool?
Answer
If you add a user or change permissions for a user, make sure you complete the steps needed to prevent an unauthorized error. To troubleshoot, check or update access permissions by using the IBM Cloud CLI or by editing the YAML file.
IBM Cloud CLI
After the administrator adds a user to the group or changes their permissions, complete the following steps:
After the administrator adds a user to the group or changes their permissions, complete the following steps:
1. Update the role binding by running the following command:
$ ibmcloud cs cluster-config clusterName
$ ibmcloud cs cluster-config clusterName
2. Export the new KUBECONFIG settings to sync the bindings.
Example command:
$ export KUBECONFIG=/Users/<new_user>/.bluemix/plugins/container-service/clusters/<cluster_name>-cluster/kube-config-wdc07-<cluster_name>-cluster.yml
$ export KUBECONFIG=/Users/<new_user>/.bluemix/plugins/container-service/clusters/<cluster_name>-cluster/kube-config-wdc07-<cluster_name>-cluster.yml
Note: Replace with the name of the new user and with the name of the cluster.
IBM Cloud Identity and Access Management (IAM) service imports any of the four user roles (Viewer, Editor, Operator, Admin) to the corresponding ClusteRoleBinding or regular RoleBinding upon cluster creation. They are identified as follows:
- ibm-admin
- ibm-operate
- ibm-edit
- ibm-view
RoleBindings and ClusterRoleBindings have a different scope. RoleBindings are namespace-defined whereas ClusterRoleBindings are cluster-wide, but you can define them in a namespace as well.
- ibm-edit and ibm-view are RoleBindings
- ibm-admin and ibm-operate are ClusterRoleBindings
Edit YAML file
Another option for managing permissions through Kubernetes is to manually edit the YAML file to add or remove users within the ClusterRoleBindings and RoleBindings.
Another option for managing permissions through Kubernetes is to manually edit the YAML file to add or remove users within the ClusterRoleBindings and RoleBindings.
Note: You cannot remove or add someone to the DEFAULT namespace policies outside of Identity and Access Management. Otherwise, the next person to download the KUBECONFIG file overwrites the change. To make changes directly to ClusterRoleBindings and RoleBindings, you need to be in a different namespace.
You can see the current members of each RoleBinding or ClusterRoleBinding by describing which list that you want to view. The following code is an example of the admin ClusterRoleBinding.
$ kubectl describe clusterrolebinding ibm-operate jmkanz@justins-mbp
Name: ibm-operate
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: admin
Subjects:
Kind Name Namespace
---- ---- ---------
User IAM#user1@ibm.com default
User IAM#user2@ibm.com default
User IAM#user3@ibm.com default
User IAM#owner@ibm.com default
For more information about Role Based Access Control (RBAC), see the Assigning Cluster Access topic. Refer also to Accessing Kubernetes clusters.
Related Information
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSJTBP","label":"IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB21","label":"Public Cloud Platform"}}]
Was this topic helpful?
Document Information
More support for:
IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud
Software version:
All Versions
Document number:
963826
Modified date:
22 November 2019
UID
ibm1KB0011443
Manage My Notification Subscriptions