kubernetes: Can't access cluster master endpoint after upgrade from 1.5.4 to 1.6.0

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see http://kubernetes.io/docs/troubleshooting/.):

What keywords did you search in Kubernetes issues before filing this one? (If you have found any duplicates, you should instead reply there.): system:anonymous User “system:anonymous” cannot get at the cluster scope upgrade

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

Kubernetes version (use kubectl version): 1.6.0

Environment:

  • Cloud provider or hardware configuration: GCE
  • OS (e.g. from /etc/os-release): Linux
  • Kernel (e.g. uname -a):
  • Install tools: gcloud sdk 150.0.0
  • Others:

What happened: I upgraded our cluster from 1.5.4 to 1.6.0 and as a result I am no longer able to access the kubernetes dashboard that was available on the cluster master endpoint. The error I get is 403: User “system:anonymous” cannot get at the cluster scope.: “No policy matched.\nUnknown user "system:anonymous"”

What you expected to happen: I would expect to be able to get to the /ui endpoint to access the kubernetes dashboard on the cluster master endpoint after I am prompted for the username and password.

How to reproduce it (as minimally and precisely as possible):

  • Start with a container cluster with a master version 1.6.0 and node version 1.5.4
  • Run gcloud container clusters upgrade jlp-food-subscriptions-perf --cluster-version=1.6.0
  • Hit the cluster master endpoint/ui url in the browser
  • Get the error: User “system:anonymous” cannot get at the cluster scope.: “No policy matched.\nUnknown user "system:anonymous"”

Anything else we need to know:

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 6
  • Comments: 23 (3 by maintainers)

Most upvoted comments

The server won’t send basic auth challenges to unauthenticated requests if anonymous auth is enabled. Without a challenge, the browser will never send its basic auth credentials.

A better way to access the UI via the API is to run kubectl proxy and access http://localhost:8001/ui

+11
liggitt on May 5, 2017

To me it seems like every next release of K8s will be more and more difficult to setup, maintain, and upgrade, for simple mortals who are not using hosted GKE or OpenShift versions. And it’s totally ok, you know, people need to get paid for their work. Features are top priority, while ‘ease of use’ or “convenience” of those struggling with the open source version, are low priority. IMHO.

Same with most Hashicorp tools. Consul / vault / Nomad, are for masochists unless used in Hashicorp Atlas hosted solution… It’s a pain to see architects and DevOps spend hundreds of work hours to learn, setup, and then troubleshoot all those systems on their own. Instead - the company could’ve hosted all their apps on google App Engine or something, without even hiring the fleet of “architects” and DevOps pros 👍 , and it will be (1) faster (2) cheaper, to launch all the same products and iterate development.

Disclaimer: I’m one of those masochist DevOps who works with all those ‘great success tools’ manually, not using any hosted solution 😃 . But if it was my choice I’d migrate all our APIs and services to some out-of-the box professionally managed service, and sent home all cloud solution architects, cutting the operational costs by x5 lol.

+6
Dmitry1987 on Aug 12, 2017

dupe of #39722

anonymous requests and browser basic-auth prompts cannot both be enabled. To access the dashboard via the API proxy endpoint from a browser with basic auth credentials, you can either use kubectl proxy and access the dashboard via localhost (recommended), or disable anonymous requests to the API (--anonymous-auth=false) and authenticate to the API directly from the browser with basic-auth credentials (no recommended)

+2
liggitt on Apr 12, 2017

This is how I solved it. Please take a look. https://github.com/binudba/Troubeshooting-K8s-issues/blob/master/kube-apiserver-forbidden-messages.md

+1
binudba on Jan 5, 2020

Funny thing is that on Chrome I get the error: User “system:anonymous” cannot get at the cluster scope.: “No policy matched.\nUnknown user "system:anonymous"”.

Safari asks for login/password and dashboard can be accessed no problem…

+1
ganda-pl on Aug 9, 2017

I am also facing the same issue I have 1.6.4 version of kubernetes on Ubuntu 16.04

Request https://ip::6443/ui.html Response User “system:anonymous” cannot get at the cluster scope.

+1
naivegeek on May 25, 2017
Read more comments on GitHub
← kubernetes: cannot use the vip to access the nodeport
kubernetes: Can't create pods from yaml template →