avatarAnsible Pilot

Summary

The provided content discusses troubleshooting the "401 Unauthorized" error when using Ansible to create a namespace in a Kubernetes or OpenShift cluster.

Abstract

The content is a comprehensive guide focusing on resolving the "Kubernetes 401 Unauthorized" error message encountered when attempting to create a namespace named "example" using Ansible's k8s module. It explains that this error typically occurs due to a lack of authentication tokens when interacting with the Kubernetes or OpenShift cluster. The guide, presented by Luca Berton in an episode of Ansible Pilot, includes a live demo, Ansible Playbook code snippets, error execution logs, troubleshooting steps, and the final fix for the error. It also provides resources such as video courses, printed books, eBooks, and donation links for further learning and support.

Opinions

  • The author, Luca Berton, emphasizes the importance of proper authentication and context setup when using Ansible to manage Kubernetes resources.
  • The content suggests that the "401 Unauthorized" error is commonly related to Kubernetes/OpenShift authentication rather than Ansible's configuration or Playbook issues.
  • The guide promotes practical learning through examples, providing over 250 examples and lessons in related educational materials.
  • The author encourages readers to subscribe to the Ansible Pilot YouTube channel, Medium, and website to stay updated with the latest Ansible content and tutorials.
  • By offering a variety of educational resources and asking for donations, the author implies the value of their work and the community's support in sustaining open-source contributions.

Ansible troubleshooting — Kubernetes K8s or OpenShift OCP 401 Unauthorized

How to troubleshoot and solve the 401 Unauthorized fatal error message when trying to create an “example” Namespace with the Ansible k8s module.

Today we’re going to talk about Ansible troubleshooting, specifically about the “Kubernetes 401 Unauthorized” message.

This fatal error message happens when we are trying to execute some code against your Kubernetes K8s or OpenShift OCP cluster without any authentication tokens.

These circumstances are usually related to Kubernetes K8s or OpenShift OCP authentication and usually are not related to Ansible Playbook or Ansible configuration.

I’m Luca Berton and welcome to today’s episode of Ansible Pilot.

demo

How to reproduce, troubleshoot, and fix the error: “Kubernetes 401 Unauthorized”.

The best way of talking about Ansible troubleshooting is to jump in a live demo to show you practically the “Kubernetes 401 Unauthorized” and how to solve it!

This demo is going to try to create an “example” namespace in a Kubernetes/OpenShift cluster.

Ansible Playbook code

---
- name: k8s demo
  hosts: localhost
  gather_facts: false
  connection: local
  vars:
    myproject: "example"
  tasks:
    - name: create {{ myproject }} namespace
      kubernetes.core.k8s:
        api_version: v1
        kind: Namespace
        name: "{{ myproject }}"
        state: present

error execution

ansible-pilot $ ansible-playbook kubernetes/namespace.yml 
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit
localhost does not match 'all'
PLAY [k8s demo] ***********************************************************************************
TASK [create example namespace] *******************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "error": 401, "msg": "Namespace example: Failed to retrieve requested object: b'{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"Unauthorized\",\"reason\":\"Unauthorized\",\"code\":401}\\n'", "reason": "Unauthorized", "status": 401}
PLAY RECAP ****************************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
ansible-pilot $

troubleshooting

ansible-pilot $ oc get namespace
error: You must be logged in to the server (Unauthorized)
ansible-pilot $ crc status
CRC VM:          Running
OpenShift:       Running (v4.9.15)
Disk Usage:      18.27GB of 32.74GB (Inside the CRC VM)
Cache Usage:     12.79GB
Cache Directory: /Users/lberton/.crc/cache
ansible-pilot $ crc start
WARN A new version (2.0.1) has been published on https://developers.redhat.com/content-gateway/file/pub/openshift-v4/clients/crc/2.0.1/crc-macos-amd64.pkg 
INFO A CodeReady Containers VM for OpenShift 4.9.15 is already running 
Started the OpenShift cluster.
The server is accessible via web console at:
  https://console-openshift-console.apps-crc.testing
Log in as administrator:
  Username: kubeadmin
  Password: WhDvM-c8WiV-zJ8iH-UKhKV
Log in as user:
  Username: developer
  Password: developer
Use the 'oc' command line interface:
  $ eval $(crc oc-env)
  $ oc login -u developer https://api.crc.testing:6443
ansible-pilot $ eval $(crc oc-env)
ansible-pilot $ oc login -u kubeadmin https://api.crc.testing:6443
Logged into "https://api.crc.testing:6443" as "kubeadmin" using existing credentials.
You have access to 66 projects, the list has been suppressed. You can list all projects with 'oc projects'
Using project "example".
ansible-pilot $ oc get namespace | grep example
example                                            Active   63d
ansible-pilot $ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://api.crc.testing:6443
  name: api-crc-testing:6443
contexts:
- context:
    cluster: api-crc-testing:6443
    user: developer/api-crc-testing:6443
  name: /api-crc-testing:6443/developer
- context:
    cluster: api-crc-testing:6443
    namespace: default
    user: kubeadmin
  name: crc-admin
- context:
    cluster: api-crc-testing:6443
    namespace: default
    user: developer
  name: crc-developer
- context:
    cluster: api-crc-testing:6443
    namespace: default
    user: kubeadmin/api-crc-testing:6443
  name: default/api-crc-testing:6443/kubeadmin
- context:
    cluster: api-crc-testing:6443
    namespace: example
    user: developer/api-crc-testing:6443
  name: example/api-crc-testing:6443/developer
- context:
    cluster: api-crc-testing:6443
    namespace: example
    user: kubeadmin/api-crc-testing:6443
  name: example/api-crc-testing:6443/kubeadmin
current-context: example/api-crc-testing:6443/kubeadmin
kind: Config
preferences: {}
users:
- name: developer
  user:
    token: sha256~REDACTED
- name: developer/api-crc-testing:6443
  user:
    token: sha256~REDACTED
- name: kubeadmin
  user:
    token: sha256~REDACTED
- name: kubeadmin/api-crc-testing:6443
  user:
    token: sha256~REDACTED
ansible-pilot $

fix execution

ansible-pilot $ ansible-playbook kubernetes/namespace.yml 
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit
localhost does not match 'all'
PLAY [k8s demo] ***********************************************************************************
TASK [create example namespace] *******************************************************************
ok: [localhost]
PLAY RECAP ****************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
ansible-pilot $

Recap

Now you know better how to troubleshoot the Ansible “Kubernetes/OpenShift 401 Unauthorized” message.

Subscribe to the YouTube channel, Medium, and Website to not miss the next episode of the Ansible Pilot.

Video Course

Printed Book

Ansible for VMware by Examples
Ansible for Kubernetes by Example
Hands-on Anasible Automation

eBooks

Donate

Ansible
Kubernetes
Openshift
Troubleshooting
Code
Recommended from ReadMedium
avatarPriyanshu Bhatt
How to Set Up Argo CD with Private Repos and Role-Based Access Control for Secure Kubernetes…

5 min read
avatarMr.PlanB
All Kubernetes Backups Tools comparison, from Free to Paid, Restic, Kopia, Velero, CloudCasa…

The evaluation and optimization of backup costs within Kubernetes environments have gained considerable attention as organizations strive…

13 min read
avatarDeniz TÜRKMEN
Simplifying Kubernetes Deployments with Kustomize

In this article I will explain kustomize in detail. The content of the article;

9 min read
avatarNikhil Kumar
Troubleshooting Pod Failures in Kubernetes: A Comprehensive Guide

What Are Pods?

7 min read
avatarSuresh yadav
The Ultimate Guide to Linux Networking Commands for DevOps Professionals

Introduction: In the world of DevOps, networking is a cornerstone of infrastructure management. Understanding and efficiently using Linux…

8 min read
avatarEmircan Agac
How to Use Velero: Installation, Backup, and Restore Guide with Minio

Backup & Restore with VELERO

5 min read