error: You must be logged in to the server (Unauthorized)

[dotbalo]

Hi, Thank you very much for your documentation. I deployed custom-metrics-api in my cluster and I didn't report an error during the deployment process. But when I executed the 'kubectl get --raw "/apis/custom.metrics.k8s.io/v1beta1" | jq . ' command, I reported the following error:

error: You must be logged in to the server (Unauthorized)

logs:

I0613 03:59:15.327246       1 request.go:897] Response Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/","verb":"get"},"user":"system:anonymous","group":["system:unauthenticated"]},"status":{"allowed":false}}
I0613 03:59:15.327513       1 authorization.go:73] Forbidden: "/", Reason: ""
I0613 03:59:15.327730       1 wrap.go:42] GET /: (12.371276ms) 403 [[Go-http-client/2.0] 177.245.72.64:21169]
W0613 03:59:24.780796       1 x509.go:172] x509: subject with cn=front-proxy-client is not in the allowed list: [aggregator]
E0613 03:59:24.780859       1 authentication.go:62] Unable to authenticate the request due to an error: [x509: subject with cn=front-proxy-client is not allowed, x509: certificate signed by unknown authority]
I0613 03:59:24.781005       1 wrap.go:42] GET /apis/custom.metrics.k8s.io/v1beta1?timeout=32s: (696.518µs) 401 [[kube-controller-manager/v1.13.6 (linux/amd64) kubernetes/abdda3f/system:serviceaccount:kube-system:resourcequota-controller] 177.245.72.64:18907]
W0613 03:59:26.187626       1 x509.go:172] x509: subject with cn=front-proxy-client is not in the allowed list: [aggregator]
E0613 03:59:26.187716       1 authentication.go:62] Unable to authenticate the request due to an error: [x509: subject with cn=front-proxy-client is not allowed, x509: certificate signed by unknown authority]
I0613 03:59:26.187866       1 wrap.go:42] GET /apis/custom.metrics.k8s.io/v1beta1?timeout=32s: (822.578µs) 401 [[kube-apiserver/v1.13.6 (linux/amd64) kubernetes/abdda3f] 177.245.72.64:18907]
W0613 03:59:29.071907       1 x509.go:172] x509: subject with cn=front-proxy-client is not in the allowed list: [aggregator]
E0613 03:59:29.071978       1 authentication.go:62] Unable to authenticate the request due to an error: [x509: subject with cn=front-proxy-client is not allowed, x509: certificate signed by unknown authority]
I0613 03:59:29.072126       1 wrap.go:42] GET /apis/custom.metrics.k8s.io/v1beta1?timeout=32s: (669.407µs) 401 [[kube-apiserver/v1.13.6 (linux/amd64) kubernetes/abdda3f] 10.103.236.179:36320]
I0613 03:59:29.923974       1 request.go:897] Request Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/","verb":"get"},"user":"system:anonymous","group":["system:unauthenticated"]},"status":{"allowed":false}}
I0613 03:59:29.924301       1 round_trippers.go:386] curl -k -v -XPOST  -H "Content-Type: application/json" -H "Accept: application/json, */*" -H "User-Agent: adapter/v0.0.0 (linux/amd64) kubernetes/$Format" -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtb25pdG9yaW5nIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImN1c3RvbS1tZXRyaWNzLWFwaXNlcnZlci10b2tlbi1yd2I1bSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjdXN0b20tbWV0cmljcy1hcGlzZXJ2ZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2ZGE5M2UwYS04ZDhmLTExZTktOTBkYy1mODBmNDFmMjdkYTEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6bW9uaXRvcmluZzpjdXN0b20tbWV0cmljcy1hcGlzZXJ2ZXIifQ.xyuVdgLY7GxpozNMPGqUFpOhe2xTlKFtAH62xmgoSRjw3dx2LAMQwdYVcPRJJhEnYL5fadsQpENCbbO21v229RJFd3ZSuNbFzqjCf5Zi_SP8c2XIGyPQtkOnBxJK1RfcisLsAxt-FfFP-m5OZ33okRKXVyb6tZj3qK08YPHdD9WlVYSpdlTg8aK_GPlwWbmSftn4A4K7iGXzKb936trjO9SdT3aTz2sYY7PzkzKAt1w2M48Vge8P0UJvUnD1mGZ3T2fUYFGMtBmQe598Cx3wDssVjw2Nm8_QFtkGkgzIW2HvIkFwblNcjztF5-6qcMu4HkoSZjSS76w0BlJhrj2nag" 'https://50.96.0.1:443/apis/authorization.k8s.io/v1beta1/subjectaccessreviews'
I0613 03:59:29.935204       1 round_trippers.go:405] POST https://50.96.0.1:443/apis/authorization.k8s.io/v1beta1/subjectaccessreviews 201 Created in 10 milliseconds
I0613 03:59:29.935264       1 round_trippers.go:411] Response Headers:
I0613 03:59:29.935281       1 round_trippers.go:414]     Content-Length: 260
I0613 03:59:29.935295       1 round_trippers.go:414]     Date: Thu, 13 Jun 2019 04:01:00 GMT
I0613 03:59:29.935308       1 round_trippers.go:414]     Content-Type: application/json
I0613 03:59:29.935406       1 request.go:897] Response Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/","verb":"get"},"user":"system:anonymous","group":["system:unauthenticated"]},"status":{"allowed":false}}
I0613 03:59:29.935612       1 authorization.go:73] Forbidden: "/", Reason: ""
I0613 03:59:29.935817       1 wrap.go:42] GET /: (12.205904ms) 403 [[Go-http-client/2.0] 10.103.236.179:36294]
W0613 03:59:30.791929       1 x509.go:172] x509: subject with cn=front-proxy-client is not in the allowed list: [aggregator]
E0613 03:59:30.791994       1 authentication.go:62] Unable to authenticate the request due to an error: [x509: subject with cn=front-proxy-client is not allowed, x509: certificate signed by unknown authority]
I0613 03:59:30.792143       1 wrap.go:42] GET /apis/custom.metrics.k8s.io/v1beta1?timeout=32s: (696.288µs) 401 [[kube-controller-manager/v1.13.6 (linux/amd64) kubernetes/abdda3f/system:serviceaccount:kube-system:generic-garbage-collector] 177.245.72.64:18907]
W0613 03:59:32.541963       1 x509.go:172] x509: subject with cn=front-proxy-client is not in the allowed list: [aggregator]
E0613 03:59:32.542042       1 authentication.go:62] Unable to authenticate the request due to an error: [x509: subject with cn=front-proxy-client is not allowed, x509: certificate signed by unknown authority]
I0613 03:59:32.542186       1 wrap.go:42] GET /apis/custom.metrics.k8s.io/v1beta1?timeout=32s: (672.224µs) 401 [[kube-controller-manager/v1.13.6 (linux/amd64) kubernetes/abdda3f/system:serviceaccount:kube-system:generic-garbage-collector] 177.245.72.64:18907]
I0613 03:59:34.996385       1 authorization.go:73] Forbidden: "/", Reason: ""
I0613 03:59:34.996529       1 wrap.go:42] GET /: (386.223µs) 403 [[Go-http-client/2.0] 177.253.180.64:49696]

Looking at the log is like a certificate issue.

My cluster was deployed manually, not using kubeadm. When I created the cluster, I generated the following certificate:

admin.csr
admin-key.pem
admin.pem
apiserver.csr
apiserver-key.pem
apiserver.pem
ca.csr
ca-key.pem
ca.pem
controller-manager.csr
controller-manager-key.pem
controller-manager.pem
front-proxy-ca.csr
front-proxy-ca-key.pem
front-proxy-ca.pem
front-proxy-client.csr
front-proxy-client-key.pem
front-proxy-client.pem
kubelet-key.pem
kubelet.pem
sa.key
sa.pub
scheduler.csr
scheduler-key.pem
scheduler.pem

Then I tried to change the ca certificate in the Makefile, then re-execute the make certs, and finally redeploy the custom-metrics-api, but still have this problem, is there a solution?

Kubernetes Version:

[root@k8s-master01 k8s-prom-hpa]# kubectl version
Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.6", GitCommit:"abdda3f9fefa29172298a2e42f5102e777a8ec25", GitTreeState:"clean", BuildDate:"2019-05-08T13:53:53Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.6", GitCommit:"abdda3f9fefa29172298a2e42f5102e777a8ec25", GitTreeState:"clean", BuildDate:"2019-05-08T13:46:28Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}

[tanjunchen]

see W0613 03:59:30.791929 1 x509.go:172] x509: subject with cn=front-proxy-client is not in the allowed list: [aggregator]。x509？

I guess that your aggregator is wrong , kubeadm is enabled by default. Binary installed clusters need to be added manually.