authorization-mode=AlwaysAllow & getting 401

Am I missing something? I was expecting curl -k start to work after I specified authorization-mode=AlwaysAllow

[node1 ~]$ ps 30032
30032 ?        Ssl    0:24 kube-apiserver --advertise-address= --allow-privileged=true --authorization-mode=AlwaysAllow --client-ca-file=/etc/kubernetes/pki/ca.crt
[node1 ~]$ 
[node1 ~]$ curl -k
curl: (7) Failed connect to; Connection refused
[node1 ~]$ curl -k
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}[node1 ~]$ 

Hi AI_K:

  • --client-ca-file string If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is AUTHENTICATED with an identity corresponding to the CommonName of the client certificate. (see kube-apiserver | Kubernetes)
  • --authorization-mode strings Default: “AlwaysAllow” Ordered list of plug-ins to do AUTHORIZATION on secure port. Comma-delimited list of: AlwaysAllow,AlwaysDeny,ABAC,Webhook,RBAC,Node.

My guess is that Kubernetes is trying to authorize your client’s request (curl) by authenticating it using the identity specified in your request (none) when it expects the CommonName in one certificate signed by the CA certificate that you provide ( /etc/kubernetes/pki/ca.crt). So, you are querying the API using the identity anonymous:

Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated

So the query to the API is authenticated (the API server accept the query), but then, when K8s checks if the user anonymous has permissions to query the “/” endpoint, it gets forbidden. The identity anonymous has restricted permissions, so maybe you should change the endpoint to to something like https://$APIip:6443/api/v1/pods to get the list of pods running in the default namespace… (If it was not authenticated the error is something link “cannot authenticate” or something like that).

Another option may be changing the permissions of the system:anonymous or group system:unauthenticated (please, bear in mind this is potentially very risky).

Best regards,