0

Jenkins 2.190.1 - Permissions issue with Terraform's Kubernetes provider

I'm looking to leverage Terraform's Kubernetes provider within a Jenkins job. 

Deployment of a cluster succeeds on first execution and all resources are created.

However, when running any further deployments on an existing cluster, Jenkins throws this error:

"Error: <html><head><meta http-equiv='refresh' content='1;url=/securityRealm/commenceLogin?from=%2Fapi%2Fv1%2Fnamespaces%2Fkube-system%2Fconfigmaps%2Faws-auth'/><script>window.location.replace('/securityRealm/commenceLogin?from=%2Fapi%2Fv1%2Fnamespaces%2Fkube-system%2Fconfigmaps%2Faws-auth');</script></head><body style='background-color:white; color:white;'>


Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:

Permission you need to have (but didn't): hudson.model.Hudson.Read
... which is implied by: hudson.security.Permission.GenericRead
... which is implied by: hudson.model.Hudson.Administer
-->"

This seems to occur when attempting to refresh state and configuration of Kubernetes resources. The error doesn't occur when I run the terraform locally and the reference to Hudson leads me to believe it is Jenkins related.

This seems like a generic error and I have read posts suggesting to provide 'anonymous' additional permissions in the security matrix. But this doesn't seem like a secure approach. I have tried amending the permissions for anonymous in the specific job, but this has no effect.

Is there a way round this issue, or some way to provide authentication?

Thanks in advance! :)

1 comment

  • 0
    Avatar
    Ryan Campbell

    It looks like your script is trying to access the URL /api/namespaces/kube-system/configmaps/aws-auth on Jenkins. But since your script isn't passing a valid Jenkins username & api key, it's getting bounced to the login URL.

     

      But what's strange is that this looks like a Kubernetes URL. I think?

     

    So I wonder if you are somehow mixing up the Jenkins and K8s endpoint in your script?

Please sign in to leave a comment.