kubeflow: User None is not authorized to list ... for namespace: anonymous

/kind bug

What steps did you take and what happened: Installed kubeflow 1.0. While trying to create notebook server I am getting errors like:

User None is not authorized to list kubeflow.org.v1beta1.notebooks for namespace: anonymous

and

User None is not authorized to list .v1.persistentvolumeclaims for namespace: anonymous

What did you expect to happen: Successfully create notebook servers

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Environment:

  • Kubeflow version: (version number can be found at the bottom left corner of the Kubeflow dashboard): 1.0
  • kfctl version: (use kfctl version): 1.0-rc3
  • Kubernetes platform: (e.g. minikube) AWS kops
  • Kubernetes version: (use kubectl version): 1.15.1
  • OS (e.g. from /etc/os-release): Ubuntu 18.04

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 10
  • Comments: 50 (32 by maintainers)

Most upvoted comments

Issue-Label Bot is automatically applying the labels:

Label Probability
kind/bug 0.98

Please mark this comment with 👍 or 👎 to give our bot feedback! Links: app homepage, dashboard and code for this bot.

+4
issue-label-bot[bot] on Feb 4, 2020

@jlewi @swiftdiaries I believe that supporting the non auth use case by writing alternate paths in our apps is not a very scalable option long term.

I would propose hardcoding a user, like @jlewi proposes. This could be done with an Istio rule to add a userid header to every request coming from the istio gateway.

+2
yanniszark on Feb 5, 2020

@hexiaoting if you have the profile in a file called profile.yaml, you can run it using kubectl apply -f profile.yaml. It’d then create a namespace called kubeflow-anonymous.

Thanks a lot

+1
hexiaoting on Feb 15, 2020

@hexiaoting the manifest in the config you mention installs istio-ingressgateway as a NodePort service and port number 31380 as the port exposing http2 for the ingress gateway connection.

Was Istio previously installed in your setup? Or did you make changes after the kfctl installation?

I reinstalled everything. It’s Ok now, Thank you

+1
hexiaoting on Feb 15, 2020

@hexiaoting if you have the profile in a file called profile.yaml, you can run it using kubectl apply -f profile.yaml. It’d then create a namespace called kubeflow-anonymous.

+1
shuaibiyy on Feb 14, 2020

@hexiaoting could you please look to install with: https://github.com/kubeflow/manifests/blob/v1.0-branch/kfdef/kfctl_k8s_istio.yaml

The v1.0.0 config: https://github.com/kubeflow/manifests/blob/v1.0-branch/kfdef/kfctl_k8s_istio.v1.0.0.yaml

Is not updated yet and I’m working to refresh all v1.0.0 configurations.

+1
krishnadurai on Feb 14, 2020

@swiftdiaries I believe that tracing the headers through each hop (with something like tcpdump) will reveal the underlying issue.

+1
yanniszark on Feb 6, 2020
Read more comments on GitHub
← kubeflow: the kubeflow installation is stuck on the microk8s.enable kubeflow
pipelines: [backend] caching fails when task pods have `WorkflowTaskResults` RBAC (argo 3.4 change) →