403 when trying to GET /nodes/status

Rancher 2.x
1

Hi

I’m trying to hit the node status API and getting the following error:

send: b’GET /k8s/clusters/some_ID/api/v1/nodes/some_node_name/status HTTP/1.1\r\nHost: rancher.cluster.com\r\nAccept-Encoding: identity\r\nAccept: application/json\r\nUser-Agent: OpenAPI-Generator/11.0.0/python\r\nauthorization: Bearer kubeconfig-u-…\r\nContent-Type: application/json\r\n\r\n’
reply: ‘HTTP/1.1 403 Forbidden\r\n’

The account i’m using has the following cluster permission:

  • View All Projects
  • View Nodes
  • View Cluster Members
  • View Cluster Catalogs

It also has the global role:

  • User Base

I would have expected that it could then hit the required APIs.

Is it possible to troubleshoot the permissions this account has vs what is required?

I’ve seen in this article that this kind of info is shared between rancher and k8s, but i guess i dont have access to that…?

I have tried with the same user account from kubectl e.g. “kubectl get nodes”. this works and provides the status info… but when i use --v=9, i dont see any call to /nodes/status,… so it must happen backend in kubectl…

Thanks!

2

The status is part of GETting the node (or any resource) as a whole, you don’t need a separate request for it.

The /status endpoint is mainly for separating out permissions to update the spec (by the user) vs the status (by the controller managing the resource).

It does technically support GET in newer versions of k8s, but is only PUT to in general. And as you’ve found, the normal non-admin roles do not grant access to it by default.

3

wow THANKS for the quick reply!

i was just trying to follow this example to get a simple status:ready for the node.

but i see i should probably just get that info from each item returned by the list_node api call

thanks again!