CentOS Question posted in
The official documentation can be found here.

Why I get "Forbidden" status while I trying to redirect, with HAProxy, calls on CRC installed in a CentOS Docker container?

I have this scenario:

  • a HOST machine running Debian that runs docker containers.
  • a CentOS docker container that have CodeReady Containers (CRC) installed on itself. CRC working on the container, via command line, without problems.

I want access, from the Host machine, to CRC web console that works on https://console-openshift-console.apps-crc.testing (on a specific IP in the hosts file of the container).

I found this RedHat guide for accessing CRC remotely.

And, applied to Docker containers, making the following changes to haproxy.conf:

global
log 127.0.0.1 local0
debug

defaults
log global
mode http
timeout connect 5000
timeout check 5000
timeout client 30000
timeout server 30000

frontend apps
bind CONTAINER_IP:80
bind CONTAINER_IP:443
option tcplog
mode tcp
default_backend apps

backend apps
mode tcp
balance roundrobin
option ssl-hello-chk
server webserver1 CRC_IP:6443 check

frontend api
bind CONTAINER_IP:6443
option tcplog
mode tcp
default_backend api

backend api
mode tcp
balance roundrobin
option ssl-hello-chk
server webserver1 CRC_IP:6443 check

enabling forwarding for the container:

$ sysctl net.ipv4.conf.all.forwarding=1
$ sudo iptables -P FORWARD ACCEPT

and also starting CRC behind a proxy:

$ crc config set http-proxy http://example.proxy.com:<port>
$ crc config set https-proxy http://example.proxy.com:<port>
$ crc config set no-proxy <comma-separated-no-proxy-entries>

I can successfully call the url https://console-openshift-console.apps-crc.testing from the Host machine (that have dnsmasq as DNS resolver properly configured)!!!

but I get this error:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User "system:anonymous" cannot get path "/"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
}

Notes:

  1. when CRC starts I have a warning: WARN Wildcard DNS resolution for apps-crc.testing does not appear to be working

  2. even trying to login with oc, on Host machiche via command line, fail with an error message with status "Forbidden": Error from server (InternalError): Internal error occurred: unexpected response: 403.

Where is the problem? I can’t figure it out.

For those interested, this is the project’s Git repository on GitHub.

Tags:

2

Answers


  1. 0

    This message means that the user "system:anonymous" have not the permission to access the cluster. Have you done a login into the crc cluster as written in the documentation?

    3.3. Accessing the OpenShift cluster

    oc login -u developer https://api.crc.testing:6443
    Login or Signup to reply.
  2. 0

    This is the final message when you run crc start

    To access the cluster, first set up your environment by following 'crc oc-env' instructions.
Then you can access it by running 'oc login -u developer -p developer https://api.crc.testing:6443'.
To login as an admin, run 'oc login -u kubeadmin -p xxxx-xxxx-xxxxx-xxxx https://api.crc.testing:6443'.
To access the cluster, first set up your environment by following 'crc oc-env' instructions.

    Therefore, you have to run first to have the oc client available on the command line:

    crc oc-env

    Then you have to run login with oc client. In my installation was:

    oc login -u developer https://api.crc.testing:6443

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search