che: chectl: Failed to connect to Kubernetes API. Unauthorized

chectl fails to start server on k8s (coreos tectonic) cluster with authentication enabled.

chectl --version

chectl/0.0.20191121-next.89a1444 darwin-x64 node-v10.17.0

Steps to reproduce

chectl server:start

    → Failed to connect to Kubernetes API. Unauthorized
    👀  Looking for an already existing Che instance
 ›   Error: Failed to connect to Kubernetes API. Unauthorized

Runtime

  • kubernetes:
kubectl version

Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.3", GitCommit:"b3cbbae08ec52a7fc73d334838e18d17e8512749", GitTreeState:"clean", BuildDate:"2019-11-14T04:24:34Z", GoVersion:"go1.12.13", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.6+coreos.2", GitCommit:"0c227501efd8f0c62e5f75049ad7abb5a1d801ac", GitTreeState:"clean", BuildDate:"2019-02-02T03:18:42Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

kubectl configuration file in default location: ~/.kube/config

kubectl get nodes

NAME                       AGE
k-master01.domain.local   594d
k-node01.domain.local     594d
k-node02.domain.local     594d
k-node03.domain.local     594d
k-node04.domain.local     594d
k-node05.domain.local     594d
k-node06.domain.local     594d

About this issue

  • Original URL
  • State: open
  • Created 5 years ago
  • Comments: 22 (6 by maintainers)

Most upvoted comments

Hi yes, I tried that. But the problem in getting access token from PKS authentication service. I used this way to do the deployment. I have connected to k8s cluster used the PKS authentication. Then I created kubectl proxy connection and used an internal k8s service account and deployed Che used chectl through this connection. For example it way:

Deploy service account “deployer”

kubectl create sa deployer kubectl create clusterrolebinding deployer --clusterrole cluster-admin --serviceaccount default:deployer

Get necessary information from k8s cluster

KUBE_DEPLOY_SECRET_NAME=`kubectl get sa deployer -o jsonpath=‘{.secrets[0].name}’` KUBE_API_TOKEN=`kubectl get secret $KUBE_DEPLOY_SECRET_NAME -o jsonpath=‘{.data.token}’|base64 --decode` KUBE_API_CERT=`kubectl get secret $KUBE_DEPLOY_SECRET_NAME -o jsonpath=‘{.data.ca.crt}’|base64 --decode`

Start kubectl proxy in the background

kubectl proxy &

Create kubectl config

export KUBECONFIG=~/.kube/config-deployer echo $KUBE_API_CERT > deploy.crt kubectl config set-cluster k8s --server=http://127.0.0.1:8001 --certificate-authority=deploy.crt --embed-certs=true kubectl config set-credentials k8s-deployer --token=$KUBE_API_TOKEN kubectl config set-context k8s --cluster k8s --user k8s-deployer kubectl config use-context k8s kubectl get all # it actually works!

+1
asavin-cl on Jul 30, 2020

We’ve added --skip-kubernetes-health-check flag to skip that kind of pre-flight check. So, please update to the latest version: chectl update next and try again.

+1
tolusha on May 5, 2020

Can someone kindly help me? It is a month that I have built a k8s/rancher cluster just to install Eclipse/CHE and I have not reached that goal.

+1
mgiammarco on Apr 30, 2020
Read more comments on GitHub
← che: Che Theia with low CPU limit doesn't work properly
che: Custom Stack by 'stacks-archetype' does not work  →