I have a microservice on kubernetes. It is scaled up to 4 pods. I have created one Object to set some value dynamically using rest api.but that object will be updated on single pod by rest api. I have to share same value on 3 more pods with single URL at same time without restarting application.
I was thinking hazelcast for this requirement but it require admin privileges which i can not provide.
Error
{"date":"2019-03-19T08:30:32.920+00:00","loglevel":"ERROR","logger_name":"com.hazelcast.internal.cluster.impl.DiscoveryJoiner","thread_name":"main","message":"[10.128.10.37]:5701 [some-group] [3.10.2] Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces/somespace/endpoints/some-service . Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. endpoints \"some-service\" is forbidden: User \"system:serviceaccount:some-test:default\" cannot get endpoints in the namespace \"somespace\": User \"system:serviceaccount:some-test:default\" cannot get endpoints in project \"somespace\".","stack_trace":"io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces/gaming/endpoints/some-service . Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. endpoints \"some-service\" is forbidden: User \"system:serviceaccount:some-test:default\" cannot get endpoints in the namespace \"gaming\": User \"system:serviceaccount:some-test:default\" cannot get endpoints in project \"gaming\".\n\tat io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470)\n\tat io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407)\n\tat io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379)\n\tat io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343)\n\tat io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:312)\n\tat io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:295)\n\tat io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleGet(BaseOperation.java:787)\n\tat io.fabric8.kubernetes.client.dsl.base.BaseOperation.getMandatory(BaseOperation.java:217)\n\tat io.fabric8.kubernetes.client
Related
When sending request to api, it throws NPE at api.listPodForAllNamespaces step. Could you please advise, what should be the correct configuration here?
As the error says:
pods is forbidden: User \"system:serviceaccount:sds-test:default\" cannot list resource \"pods\"
This means that the service account default in the namespace sds-test does not have the appropriate permissions to list pods. You are probably not specifying a service account when you deploy. K8s will automatically assign you the default service account.
You need to create a ServiceAccount. Grant it the required access using a Role and RoleBinding. Then update your Deployment/Pod to use your newly created ServiceAccount. Details of which can be found here
I have a dockerized spring boot app running on AWS Fargate in a private subnet on ECS, sitting behind a load balancer. I created vpc PrivateLink Endpoints to AWS services such that the task has access to ECR, ECS, S3, etc for the purposes of building and saving the image. I also exposed an SNS endpoint so that the service can access SNS. I can see in the logs, traffic is reaching the spring boot app.
I created a user called “myapp-sns-access”, authorized it to publish to topics and generated programmatic credentials, stored them in AWS secrets manager, and have them passed in as environment variables inside the container definition, found under the task definition ("value-from" and secret arn).
The spring boot service has an endpoint that calls AWS SNS. I cannot figure out why I keep getting this error:
com.amazonaws.services.sns.model.AmazonSNSException: '"SNS_SECRET_KEY":"XXXXX"}/20220811/us-east-1/sns/aws4_request' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256 Credential={"SNS_ACCESS_KEY_ID":"CORRECT_ACCESS_ID","SNS_SECRET_KEY":"CORRECT_SECRET_KEY"}/20220811/us-east-1/sns/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;amz-sdk-retry;host;user-agent;x-amz-date, Signature=XXXXREDACTEDXXXX'. (Service: AmazonSNS; Status Code: 400; Error Code: IncompleteSignature; Proxy: null)
I can see that the service is receiving the credentials from the AWS Secrets Manager (notice above), but I guess the AWS SDK is failing to handle the auth portion of the sns call for some reason that I cannot figure out.
Heres the gradle import:
// https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk
implementation group: 'com.amazonaws', name: 'aws-java-sdk', version: '1.12.253'
This all works locally, so I wonder if theres some weird auth flow / access to some auth server that I need to create an endpoint for in order for the service to create the auth headers correctly. I triple checked for typos with the secrets and refreshed them. I also opened up my security groups and allowed all traffic on all ports (for testing purposes).
Appreciate your time.
Update: I swapped out the PrivateLink endpoints for a Nat gateway, and I tried role based authorization and its still not working.
I currently have an app on aws that uses spring boot microservices for back-end and ReactJS for front-end.
The way it currently works is that a user logs in using username and password and a fetch call is made to an account microservice. There I do a basic username and pw check with db and send back a True or False response.
If True, the user gets logged in and redirected to products page where a fetch call is made to product service to get list of all products.
I now want to introduce JWT authorisation, so that calls to product service can only be made by logged in users.
My question is - can I introduce it in my current account service or do I have to put something in front of both services (currently they share a load balancer). Or maybe I need to direct product service traffic through account service?
Also, if I can introduce it in my current account service, how do I share the required key to product service so it can validate the request when it comes in?
Cheers, Kris
For this purpose the generic approach is to have an API Gateway layer i.e. a Microservice only which has to take care of following things -
Do the task of authentication and generate a JWT token for the user
Read the roles and responsibilities after decoding the token, every time a call is made by a user for authorization purpose
Once you get the role of user from here, you can create routes in API Gateway for each service to check like whether he can access that functionality or not, in your case let's say user's role is "warehouse Admin" and he is eligible to take care of product and related info, then he can access product service, for this you can do a role check at API Gateway layer only, when the request comes to access from routes related to product service (let's say its "/products" ). Hence you are maintaining the authenticity checks at API Gateway layer only.
Or in the otherwise case if you want to maintain an account service as well to take care of doing the authentication and authorization, then you have to direct the calls from API Gateway to account service and route the request to related backend services, once the response arrives from account service carrying the roles and permissions for the user.
I am trying to create app with microservice architecture. I am using jhipster. I want to separate backend and frontend. So first i created jhipster uaa server for authorization named as uaa then i created a gateway with --skip-client and --skip-user-management options named as gateway. After running them both i can be login with postman with /auth/login api. But when i want to get account information i am getting api not found error. I am trying to get account information with /uaa/api/account link because microservices's name is uaa but no luck. Am i missing something or is there any other settings that forget?
Before /uaa is missing /services, on the end is gonna be something like /services/uaa/api/account .
Hey everyone:D I'd like to get json with lists of pods from openshift. I'm using :
Node[] nodes = template.getForObject("[url_address]/api/v1/nodes", Node[].class);
but its need authentication, so how to solve this problemm. Any idea??
The authorization requires a valid bearer token, default kubernetes client library should use service account mounted to pod to attempt to authenticate properly. It is likely that you either do not use the client lib that does that for you or have no proper serviceaccount bound to the pod (or SA has no access granted to required resources).
For that you may want to just add the access rights to the default account for this project.
https://docs.openshift.com/container-platform/3.3/admin_solutions/user_role_mgmt.html