Hi all, I hope I’m no the only one with this issue, I followed all the steps and my host is a member of the consumers group that has authenticate access with the web service, still this error is showing up.
I resolved this once on a different environment but now it seems impossible
Any ideas?
Thanks in advance,
docker exec conjur grep "<host/identity>" /var/log/conjur/audit.json
kubectl auth can-i <verb> <resource> --as=system:serviceaccount:<namespace>:<serviceaccountname> [-n <namespace>]
kubectl auth can-i get pods --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i list pods --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i get serviceaccounts --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i list serviceaccounts --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i get extensions.deployments --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i list extensions.deployments --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i get extensions.replicasets --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i list extensions.replicasets --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i get apps.deployments --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i get apps.statefulsets --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i get apps.replicasets --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i list apps.deployments --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i list apps.statefulsets --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i list apps.replicasets --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i create pods/exec --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i get pods/exec --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
c. Are your roles and bindings configured correctly?
3. Have you tried enabling debug on the Conjur node to see more information?
a. docker exec conjur evoke variable set CONJUR_LOG_LEVEL debug
4. Have you tried to manually authenticate to the k8s API from the Conjur host?
AUTH_ID="your_k8s_id" # ex: conjur/authn-k8s/your_k8s_id
conjur variable value conjur/authn-k8s/$AUTH_ID/kubernetes/ca-cert > ./api-cert.pem
API_SAT="$(conjur variable value conjur/authn-k8s/$AUTH_ID/kubernetes/service-account-token)"
API_URL="$(conjur variable value conjur/authn-k8s/$AUTH_ID/kubernetes/api-url)"
curl -s $API_URL/openapi/v2 --header "Authorization: Bearer $API_SAT" --cacert ./api-cert.pem | more
This should result in a list of the available API endpoints from the cluster.
Hi, thank you very much for the response .
I took all day to reply because I basically tried to delete and recreate all multiple times.
Now, I think the problem is the certificate, because the kub cluster url seems to be different form what I used previously and have a signed certificate for, so I added the Alt name to the cert and got it signed, now I’m trying to replace the cert in Conjur docker container and when I try to evoke import cert it says the cert is already in the hash table, any idea how to replace it?
Thanks again
Hey @hd72,
Were you able to resolve this issue? Did you get the cert imported? I believe there is a --force option for importing the cert.