Question

Kubectl isn't working as expected. I amd running it on my local shell with gcloud sdk. A simple command like:

$ kubectl get pod

gives me this error:

Error from server (Forbidden): pods is forbidden: User "client" cannot list pods at the cluster scope: Unknown user "client"

I can run the same command on GCP cloud shell with correct output

$ gcloud auth list

output:

Credentialed Accounts
ACTIVE ACCOUNT
* foo@bar.com

I tried creating a clusterrolebinding, but the error still persists.

Answer 1

I think your Legacy Authorisation has been disabled in cluster settings. The client certificate that you are using is a Legacy Authentication method. So your client authentication actually succeeds but the authorisation fails. So now you can either of the following things:

Try and disable the use of client certificate:

gcloud config unset container/use_client_certificate

And regenerate your kubectl config:

gcloud container clusters get-credentials my-cluster

OR the more simpler method being, enable Legacy Authorisation in the cluster settings in the Google Cloud Console.