what does Unknown user "client" mean?

kubernetes google-kubernetes-engine

Solution 1:

This happens when you disable Legacy Authorisation in the cluster settings, because the client certificate that you are using is a legacy authentication method. So it looks like what is happening is the client authentication succeeds but the authorisation fails, as expected. ("Unknown user" in the error message, confusingly, seems to mean the user is unknown to the authorisation system, not to the authentication system.)

You can either disable the use of the client certificate with

gcloud config unset container/use_client_certificate

and then regenerate your kubectl config with

gcloud container clusters get-credentials my-cluster

Or you can simply re-enable Legacy Authorisation in the cluster settings in the Google Cloud Console, or using the command:

gcloud container clusters update [CLUSTER_NAME] --enable-legacy-authorization

Solution 2:

I understand this issue has now been resolved, but I would like to add some information about why this issue can occur, as it may be useful to anyone who comes across a similar issue.

Kubernetes Engine users can authenticate to the Kubernetes API using Google OAuth2 access tokens, which means that when users create a new cluster, Kubernetes Engine configures kubectl to authenticate the user to the cluster.

It's also possible to authenticate to the cluster using legacy methods which include using the cluster certificate and/or username and passwords. This is defined in the gcloud config.

The configuration of gcloud in, for example the Cloud Shell may be different from an installation of gcloud elsewhere, for example on a home workstation.

The:

Error from server (Forbidden): pods is forbidden: User "client" cannot list pods at the cluster scope: Unknown user "client"

error suggests that gcloud config set container/use_client_certificate is set to True i.e. that gcloud is expecting a client cluster certificate to authenticate to the cluster (this is what the 'client' in the error message refers to).

As @Yanwei has discovered, unsetting container/use_client_certificate by issuing the following command in the glcoud config ends the need for a legacy certificate or credentials and prevents the error message:

gcloud config unset container/use_client_certificate

Issues such as this may be more likely if you are using an older version of gcloud on your home workstation or elsewhere.

There is some information on this here.

Solution 3:

Found out there is some issue with gcloud config. This command solved it:

gcloud config unset container/use_client_certificate

Solution 4:

In addition to setting

gcloud config unset container/use_client_certificate

Also make sure you do not have this env variable set to True

CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE

Related

Javafx error exception in Application start method no controller specified
Python Tkinter Label redrawing every 10 seconds
Groovy collections performance considerations regarding space/time
Can't change border color of Material-UI OutlinedInput
How do I simply parse a date without a year specified?
Sequences expansion and variable in bash [duplicate]
Will any of my files be deleted while updating to 20.04
Firefox recently updated to 89.0 (64 bit) and now sometimes locks up
How to list user services of another user under ubuntu
Connect to two networks simultaneously
How to Configure a user/password in OpenVPN Server
Is Samba read/write rate performance on Ubuntu 20.04 capped at around 11MB/s?