I am trying to build a Kubernetes cluster as per the steps mentioned in <https:/ . . .

Gurudutt Dongre:
I am trying to build a Kubernetes cluster as per the steps mentioned in https://github.com/mmumshad|mmumshad/https://github.com/mmumshad/kubernetes-the-hard-way|kubernetes-the-hard-way in the git. I am in this page (https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/13-kube-apiserver-to-kubelet.md) trying to setup RBAC for Kubelet Authorization. Inspite of creating ClusterRole and ClusterRoleBinding as detailed on this page I am unable to view logs of the pod/container and I see below error.

vagrant@master-1:~$ kubectl logs weave-net-cpk9q weave -n kube-system
Error from server (Forbidden): Forbidden (user=kube-apiserver, verb=get, resource=nodes, subresource=proxy) ( pods/log weave-net-cpk9q)

I am able to login to the worker node and view the logs from docker logs command. Any idea what I could be missing here ? @Fernando Jimenez @Tej_Singh_Rana @Mohamed Ayman.Thanks in advance.

Gurudutt Dongre:
vagrant@master-1:~$ kubectl describe clusterrole system:kube-apiserver-to-kubelet
Name: system:kube-apiserver-to-kubelet
Labels: http://kubernetes.io/bootstrapping=rbac-defaults|kubernetes.io/bootstrapping=rbac-defaults
Annotations: http://kubectl.kubernetes.io/last-applied-configuration|kubectl.kubernetes.io/last-applied-configuration:
{“apiVersion”:“http://rbac.authorization.k8s.io/v1beta1|rbac.authorization.k8s.io/v1beta1”,“kind”:“ClusterRole”,“metadata”:{“annotations”:{"http://rbac.authorization.kubernetes.io/autoup|rbac.authorization.kubernetes.io/autoup
http://rbac.authorization.kubernetes.io/autoupdate|rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs


nodes/log [] [] []
nodes/metrics [] [] [
]
nodes/proxy [] [] []
nodes/spec [] [] [
]
nodes/stats [] [] [*]

vagrant@master-1:~$ kubectl describe clusterrolebinding system:kube-apiserver
Name: system:kube-apiserver
Labels: <none>
Annotations: http://kubectl.kubernetes.io/last-applied-configuration|kubectl.kubernetes.io/last-applied-configuration:
{“apiVersion”:“http://rbac.authorization.k8s.io/v1beta1|rbac.authorization.k8s.io/v1beta1”,“kind”:“ClusterRoleBinding”,“metadata”:{“annotations”:{},“name”:“system:kube-apiserver”}…
Role:
Kind: ClusterRole
Name: system:kube-apiserver-to-kubelet
Subjects:
Kind Name Namespace


User system:kube-apiserver

Gurudutt Dongre:
Nevermind. Fixed it. In

ClusterRoleBinding

the username is kube-apiserver and NOT system:kube-apiserver. Please corect it in the doucment.