Host failed to inject client certificate with authenticator authn-k8s service Unauthorized

Hi all, I hope I’m no the only one with this issue, I followed all the steps and my host is a member of the consumers group that has authenticate access with the web service, still this error is showing up.

I resolved this once on a different environment but now it seems impossible

Any ideas?

Thanks in advance,

  1. Can you see successful authentication events from the host to the Conjur node?
    docker exec conjur grep "<host/identity>" /var/log/conjur/audit.json
  2. Does your service account have the rights it needs to use the k8s API?
    a. kubectl auth can-i <verb> <resource> --as=system:serviceaccount:<namespace>:<serviceaccountname> [-n <namespace>]
kubectl auth can-i get pods --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i list pods --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i get serviceaccounts --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i list serviceaccounts --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i get extensions.deployments --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i list extensions.deployments --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i get extensions.replicasets --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i list extensions.replicasets --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i get apps.deployments --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i get apps.statefulsets --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i get apps.replicasets --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i list apps.deployments --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i list apps.statefulsets --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i list apps.replicasets --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i create pods/exec --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace
kubectl auth can-i get pods/exec --as=system:serviceaccount:my_namespace:myserviceaccount -n my_namespace

c. Are your roles and bindings configured correctly?
3. Have you tried enabling debug on the Conjur node to see more information?
a. docker exec conjur evoke variable set CONJUR_LOG_LEVEL debug
4. Have you tried to manually authenticate to the k8s API from the Conjur host?
AUTH_ID="your_k8s_id" # ex: conjur/authn-k8s/your_k8s_id
conjur variable value conjur/authn-k8s/$AUTH_ID/kubernetes/ca-cert > ./api-cert.pem
API_SAT="$(conjur variable value conjur/authn-k8s/$AUTH_ID/kubernetes/service-account-token)"
API_URL="$(conjur variable value conjur/authn-k8s/$AUTH_ID/kubernetes/api-url)"
curl -s $API_URL/openapi/v2 --header "Authorization: Bearer $API_SAT" --cacert ./api-cert.pem | more

This should result in a list of the available API endpoints from the cluster.

Hi, thank you very much for the response .
I took all day to reply because I basically tried to delete and recreate all multiple times.

  1. Failed to authenticate
  2. Lack the permissions to execute any of the listed commands or I got the pod name wrong
  3. Debug mode is enabled, the only thing it says is the the host has failed to authenticate
  4. I was unable to authenticate with the cert, but I can using the host key and it is authorized to authenticate using the web service.

Now, I think the problem is the certificate, because the kub cluster url seems to be different form what I used previously and have a signed certificate for, so I added the Alt name to the cert and got it signed, now I’m trying to replace the cert in Conjur docker container and when I try to evoke import cert it says the cert is already in the hash table, any idea how to replace it?

Thanks again