what does Unknown user “client” mean?

Question

When I run a simple command on my local shell with gcloud sdk.

$ kubectl get pod

I get such error:

Error from server

Answer 1

I understand this issue has now been resolved, but I would like to add some information about why this issue can occur, as it may be useful to anyone who comes across a similar issue.

Kubernetes Engine users can authenticate to the Kubernetes API using Google OAuth2 access tokens, which means that when users create a new cluster, Kubernetes Engine configures kubectl to authenticate the user to the cluster.

It's also possible to authenticate to the cluster using legacy methods which include using the cluster certificate and/or username and passwords. This is defined in the gcloud config.

The configuration of gcloud in, for example the Cloud Shell may be different from an installation of gcloud elsewhere, for example on a home workstation.

The:

Error from server (Forbidden): pods is forbidden: User "client" cannot list pods at the cluster scope: Unknown user "client"

error suggests that gcloud config set container/use_client_certificate is set to True i.e. that gcloud is expecting a client cluster certificate to authenticate to the cluster (this is what the 'client' in the error message refers to).

As @Yanwei has discovered, unsetting container/use_client_certificate by issuing the following command in the glcoud config ends the need for a legacy certificate or credentials and prevents the error message:

gcloud config unset container/use_client_certificate

Issues such as this may be more likely if you are using an older version of gcloud on your home workstation or elsewhere.

There is some information on this here.

Answer 2

Found out there is some issue with gcloud config. This command solved it:

gcloud config unset container/use_client_certificate

Answer 3

In addition to setting

gcloud config unset container/use_client_certificate

Also make sure you do not have this env variable set to True

CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE

Answer 4

This happens when you disable Legacy Authorisation in the cluster settings, because the client certificate that you are using is a legacy authentication method. So it looks like what is happening is the client authentication succeeds but the authorisation fails, as expected. ("Unknown user" in the error message, confusingly, seems to mean the user is unknown to the authorisation system, not to the authentication system.)

You can either disable the use of the client certificate with

gcloud config unset container/use_client_certificate

and then regenerate your kubectl config with

gcloud container clusters get-credentials my-cluster

Or you can simply re-enable Legacy Authorisation in the cluster settings in the Google Cloud Console, or using the command:

gcloud container clusters update [CLUSTER_NAME] --enable-legacy-authorization