Bug 1420621 - oadm diagnostics produces error DCli0013 or DCli0014 when /root/.kube/config contains non-system:admin contexts
Summary: oadm diagnostics produces error DCli0013 or DCli0014 when /root/.kube/config ...
Keywords:
Status: CLOSED EOL
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 3.3.1
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: ---
Assignee: Luke Meyer
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-09 05:53 UTC by Kenjiro Nakayama
Modified: 2020-03-11 15:46 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-26 19:05:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2918331 None None None 2017-02-10 02:30:45 UTC

Description Kenjiro Nakayama 2017-02-09 05:53:07 UTC
Description of problem:
---
- oadm diagnostics produces error DCli0013 or DCli0014 when /root/.kube/config contains non-system:admin context


Version-Release number of selected component (if applicable):
---
- OCP 3.3.11


Steps to Reproduce:
----
1. switch root user
   # su -

2. "oc login" with non-system admin.
   # oc login
   Authentication required for https://knakayam-ose33-lb1.example.com:8443 (openshift)
   Username: test
   Password:

3. 2. will write test user's context in .kube/config

~~~
- context:
    cluster: knakayam-ose33-lb1-example-com:8443
    user: test/knakayam-ose33-lb1-example-com:8443
  name: /knakayam-ose33-lb1-example-com:8443/test
~~~

4. oc logout and oc l


Actual results:
---
- "oadm diagnostics" produce the error.

...
ERROR: [DCli0013 from diagnostic ConfigContexts@openshift/origin/pkg/diagnostics/client/config_contexts.go:285]
       For client config context '/knakayam-ose33-lb1-example-com:8443/test':
       The server URL is 'https://knakayam-ose33-lb1.example.com:8443'
       The user authentication is 'test/knakayam-ose33-lb1-example-com:8443'
       The current project is 'default'
       (*errors.StatusError) User "system:anonymous" cannot list all projects in the cluster

       This means that when we tried to make a request to the master API
       server, your kubeconfig did not present valid credentials to
       authenticate your client. Credentials generally consist of a client
       key/certificate or an access token. Your kubeconfig may not have
       presented any, or they may be invalid.
...


Expected results:
---
- oadm diagnostics doesn't produce this error


Additional info:
---
- For DCli0014, I attached the /root/.kube/config in private.

Comment 2 Kenjiro Nakayama 2017-02-09 07:25:21 UTC
I'm sorry, there are some typos..

**correct**
Version-Release number of selected component (if applicable):
---
- OCP 3.3.1.11


Steps to Reproduce:
----
  4. Logout non-admin user and login with system:admin
     # oc logout
     # oc login -u system:admin

  5. Run oadm diagnostics

Comment 3 Rodolfo Carvalho 2017-07-17 13:35:24 UTC
Luke, could you help have a look at this, please?

Comment 4 Daein Park 2018-03-08 14:00:24 UTC
I met this issue. 

I just share my simple workaround here.

You just delete the regular user context from '~/.kube/config' before executing "oc adm diagnostics".

If the "admin" is regular account, we should delete the one for success of diagnostics.
~~~
# oc config get-contexts 
      CURRENT   NAME                                                  CLUSTER                          AUTHINFO                                      NAMESPACE
                default/master1-example-com:8443/admin          master1-example-com:8443   admin/master1-example-com:8443          default
      *         default/master1-example-com:8443/system:admin   master1-example-com:8443   system:admin/master1-example-com:8443   default
~~~

Just delete the context, after backup the '~/.kube/config' file.
~~~
# oc config delete-context default/master1-example-com:8443/admin
      deleted context default/master1-example-com:8443/admin from /root/.kube/config

      # oc config get-contexts 
      CURRENT   NAME                                                  CLUSTER                          AUTHINFO                                      NAMESPACE
      *         default/master1-example-com:8443/system:admin   master1-example-com:8443   system:admin/master1-example-com:8443   default
~~~

I verified disappearing the error when executing the 'oc adm diagnostics ConfigContext'.


Note You need to log in before you can comment on or make changes to this bug.