Unable to access Ambassador in K8 RBAC environment

Question

Deployed Ambassador in RBAC environment and created service with node port

[root@-1 xxxxx]# kb get svc -n ambassador
NAME               TYPE        CLUSTER-IP     EXTERNAL-IP     PORT(S)                      AGE
ambassador         NodePort    172.18.0.216   12.197.35.74   80:31270/TCP,443:31729/TCP   17h

Tried to access UI https://12.197.35.74/, getting below error

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {  },
  "code": 403
}

Look like I am missing something related to RBAC, any help high appreciated

Answer 1

This error means that you are not authorized to access the API server because it doesn’t know who you are. This is good, otherwise anyone could manipulate your cluster.

The latest kubernetes deployment tools enable RBAC on the cluster. Ambassador is relegated to the catch-all user system:anonymous when it accesses https://12.197.35.74/. This user has almost no privileges on kube-apiserver.

The bottom-line is, ambassador needs to authenticate with kube-apiserver - either with a bearer token or a client cert that's signed by the k8s cluster's CA key.

1. Create a ServiceAccount in k8s for the plugin
2. Create an RBAC profile (ie. Role/RoleBinding or ClusterRole/ClusterRoleBinding) that's tied to the ServiceAccount
3. Config the plugin to use the ServiceAccount's token when accessing the URL https://12.197.35.74/

The Kubernetes API server is the brain of your Kubernetes cluster. You should restrict access to it to the absolute minimum, limiting access from outside of the cluster to the API server using standard networking and firewalling mechanisms, and from within the cluster using a Kubernetes network policy.

Take a look: kube-apiserver-error, kubernetes-api-server, kube-apiserver-forbidden-messages, systemanonymous-cannot-get-path.