I am using the fabric8 library to create replication controllers on the kubernetes cluster. When I create areplication controller with the name rc-UUID.toString();
It errors aout with the following message
ReplicationController is forbidden. What does this indicate?
I don't think that the problem is the name.
Names like: rc-fa75ddfd-bea7-45b5-8d2f-ed806652b461 are valid.
Usually the message forbidden appears in one of the following cases:
i) http status code 401
ii) https status code 404
Error (i) appears when you are connecting to a remote Kubernetes Environment and can be solved by login in. Try kubectl login or oc login.
Error (ii) appears when the client is instantiated from within Kubernetes and the service account hasn't been properly configured.
Either way, I'd strongly encourage you to upgrade to a more recent version of the cabernets client, which has more meaningful error messages.
If none of my suggestion solves your issue, please attach the full output.
Cheers
Related
How do I wait in using oc command for an operator package manifest to be available?
I am trying this
❯ oc wait --for=condition=ready packagemanifest/example-manifest -n openshift-marketplace
Error from server (MethodNotAllowed): the server does not allow this method on the requested resource
This is failing because there is no ready state under spec field of package manifest
This error may occur when the server is configured in a way that does not allow you to perform a specific action for a particular URL.
Check below possible solutions :
1)Kubectl resolves are driven by discovery. Please check you may have created two resources with conflicting names one of which is not listable.
2)Check that your Application Default Credentials are configured for a different user than your credentials.
3)Also make sure that your Application Credentials environment variable isn't pointing somewhere unexpected.
I have an application running in Openshift 4.6.
The pod is running, I can exec into it and check this, I can port-forward to it and access it.
when trying to access the application, I get the error message:
Application is not available The application is currently not serving
requests at this endpoint. It may not have been started or is still
starting.
Possible reasons you are seeing this page:
The host doesn't exist. Make sure the hostname was typed correctly and
that a route matching this hostname exists.
The host exists, but doesn't have a matching path. Check if the URL
path was typed correctly and that the route was created using the
desired path.
Route and path matches, but all pods are down. Make sure that the
resources exposed by this route (pods, services, deployment configs,
etc) have at least one pod running.
There could be multiple reasons for this. You don't really provide enough debugging details to get to the next steps. But I generally find it helps to work backwards through the request.
Can you access the pod via port-forward? You say you've already tested this, but I include it for completeness. But I also mention it to make sure that you are verifying that you are serving the protocol you expect. If you have HTTPS passthrough on the route, but you are serving HTTP from your pod, there will obviously be a problem.
Can you access the pod providing your service from outside the pod (but within the cluster)? e.g. create a debug pod and see if you can connect to your service with curl some other client. If this doesn't work, you may not be exposing the ports of your pod correctly. Check the pod definitions.
Can you access the service from outside the pod (but within the cluster)? e.g. from your debug pod, use the service directly. If this doesn't work, you may have the selector on your service wrong. Or some other problem with your service. Check the service definition.
Can you access the route from inside the cluster? e.g. from your debug pod, try to use the full route URL. If this doesn't work, you've narrowed it down to the route definition. Again, HTTPS vs HTTP can sometimes be a mistake here such as having HTTPS passthrough when your service doesn't support HTTPS. Check the route definition.
Finally, try accessing the route eternally. Which is sounds like you have already tried. But if you've narrowed it down such that your route works internally you've determined that the problem is something in the external network. It doesn't sound like this is your problem, but it's something to keep in mind.
I am trying to setup a websocket connection to the Kubernetes Pod Exec API, based on the suggestions given in this SO post: How to execute command in a pod (kubernetes) using API?.
Here's what I have done so far -
Installed Simple Web Socket Client extension in Chrome.
Started kubectl proxy --disable-filter=true to run proxy with WS connections allowed. kubectl.exe version is 1.8.
Used address ws://localhost:8001/api/v1/namespaces/default/pods/nginx-3580832997-26zcn/exec?container=nginx&stdin=1&stdout=1&stderr=1&tty=1&command=%2Fbin%2Fsh in the Chrome extension to connect to the exec api.
When I click connect, Chrome reports back an error with the message -
Error during WebSocket handshake: Response must not include 'Sec-WebSocket-Protocol' header if not present in request
Apparently, kubectl is sending back empty Sec-WebSocket-Protocol header in the response and Chrome is taking offense to that.
I tried changing the code of Simple Web Socket Client open method to send empty protocols parameter to the Websocket client creation call, like - ws = new WebSocket(url, []); to coax Chrome in sending empty header in request, but Chrome doesn't send empty header.
So what can be done to directly connect to the exec in Chrome?
This is a known issue; kubectl proxy does not support websockets. (You can verify this easily by starting up kubectl proxy and then attempting kubectl --server=http://127.0.0.1:8001 exec ...; you will receive the message error: unable to upgrade connection: <h3>Unauthorized</h3> if the filter is enabled and Error from server (BadRequest): Upgrade request required if the filter is disabled).
The confusion might come from the fact that the kube-apiserver proxy does support websockets, but that proxy is different from the kubectl proxy.
As I see you have 3 options now (in order of difficulty):
Access kube-apiserver directly. You will likely need authentication that kubectl proxy is handling for you now
Use SockJS, this is what Kubernetes Dashboard does for the exec feature
Fix #25126
After reading the code in https://github.com/kubernetes-ui/container-terminal/blob/master/container-terminal.js, found that exec uses base64.channel.k8s.io protocol. The Simple Web Socket Client code wouldn't have worked because of this and also that the stream communication is in base64, not plain text.
Leaving this as an answer for other folks trying to implement a WS based terminal emulator... as #janos-lenart mentioned, the code is pretty new and there may be issues using it in different browsers, best bet at this point is to read example code and start from there.
I'm configuring the adapter for AX, all the steps in the configuration have been performed.
In the inbound ports I found this one: http://servername/MicrosoftDynamicsAxAif60/ScribeAxWebService/xppservice.svc but I get this error:
Connection Error: The HTTP request is unauthorized with client
authentication scheme 'Anonymous'. The authentication header
received from the server was 'Negotiate,NTLM'.
If I go in AX and change the security mode to "None" for using anonymous authentication then I get
The client and service bindings may be mismatched.
The remote server returned an error: (415)
Cannot process the message because the content type
'application/soap+xml; charset=utf-8' was not the
expected type 'text/xml; charset=utf-8'..
Where can I find the right one?
Your question is for propriety software, so this isn't exactly the right forum for it, but I've used some older versions of Scribe (4+ yrs ago).
I'd guess the domain user account running the Scribe service is not added as an AX user. Where are you getting "unauthorized"?
You already have indicated that web.config is changed, but there is a good example on MSDN, see the section XML Snippet from Web.Config. There are TWO changes to be made. The wsHttpBinding section, and then to each service that it's binding = "wsHttpBinding" is correct.
Finally, I also add a log file to AIF during the testing phase.
I have configured SCIM inbound provisioning in pingfederate 7.2.0 using Active Directory as an user store. But when I hit the URL exposed by ping to search for an user I get the following error on the browser-
{ "totalResults":0,"itemsPerPage":0,"startIndex":0,
"errors":[{"description":"User and/or certificate not found","code":"401"}]
}
In the logs it says
11:34:29,251 DEBUG [Authenticator] AuthnInfo: ID='null' cert:false
basic:false from CERT:'null' BASIC:'null' 11:34:29,251 ERROR [UsersIdResource]
Unable to find a connection associated with the username/password and/or
certificate passed in with the request.
11:34:29,252 DEBUG [TrackingIdSupport] [cross-reference-message]
entityid:null subject:ranajoy
Can someone please help me with this?
I was having this exact same issue. I set up my Provisioning connection correctly, and it worked in other environments, and everything looked good. But then I got this error. If I changed the Basic Auth to a bad password, the error message at least changed to "Bad Password for <user>".
I took another look at my connection and realized I never actually activated the connection: