Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to negotiate api version after upgrading to 1.3.0 with non-default username #29198

Closed
JorritSalverda opened this issue Jul 19, 2016 · 8 comments
Closed

Failed to negotiate api version after upgrading to 1.3.0 with non-default username #29198

JorritSalverda opened this issue Jul 19, 2016 · 8 comments
Labels
area/kubectl priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now.

Comments

@JorritSalverda
Copy link

I upgraded the master version of 2 GKE clusters from 1.2.4 to 1.3.0.

Unfortunately kubectl no longer wants to connect and gives the following error

Client Version: version.Info{Major:"1", Minor:"2", GitVersion:"v1.2.4", GitCommit:"3eed1e3be6848b877ff80a93da3785d9034d0a4f", GitTreeState:"clean"}

error: failed to negotiate an api version; server supports: map[], client supports: map[v1:{} metrics/v1alpha1:{} extensions/v1beta1:{} componentconfig/v1alpha1:{} batch/v1:{} autoscaling/v1:{} author
ization.k8s.io/v1beta1:{}]

The apis also no longer work when connecting to them directly, they return messages like

Forbidden: "/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/"

The issue seems to be related to a non-default username - k8s_admin instead of admin - because all my other clusters with default name didn't have this issue.

I had to create new clusters to solve the issue.
@pwittrock pwittrock added 0 - Triage priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. labels Jul 19, 2016
@pwittrock
Copy link
Member

@lavalamp Does this look like it might be related to CSI or auth?

@pwittrock
Copy link
Member

cc @erictune for potential auth issue

@erictune
Copy link
Member

@cjcullen for GKE auth issue.

@cjcullen
Copy link
Member

This is a bug in our abac file: See #28869.

@cjcullen
Copy link
Member

I've got a PR out to fix it: #29164

@pwittrock
Copy link
Member

Closing as a dup

@pwittrock
Copy link
Member

@JorritSalverda Thanks for reporting. We will publish steps to work around this until it is resolved for anyone else who encounters it.

@cjcullen
Copy link
Member

To workaround until it is fixed, you can add a line to the master's abac-authz-policy.jsonl file:

{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"custom_username", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}

and then restart the kube-apiserver (docker kill it, and let it restart).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/kubectl priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@JorritSalverda @apelisse @cjcullen @pwittrock @erictune