Ansible Pilot

Ansible troubleshooting - Kubernetes K8s or OpenShift OCP 401 Unauthorized

How to troubleshoot and solve the 401 Unauthorized fatal error message when trying to create an "example" Namespace with Ansible k8s module.

April 14, 2022
Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons

Ansible troubleshooting - Kubernetes K8s/OpenShift OCP 401 Unauthorized

Today we’re going to talk about Ansible troubleshooting, specifically about the “Kubernetes 401 Unauthorized” message. This fatal error message happens when we are trying to execute some code against your Kubernetes K8s or OpenShift OCP cluster without any authentication tokens. These circumstances are usually related to Kubernetes K8s or OpenShift OCP authentication and usually are not related to Ansible Playbook or Ansible configuration. I’m Luca Berton and welcome to today’s episode of Ansible Pilot.

The Best Resources For Ansible

Video Course

Books

demo

How to reproduce, troubleshoot, and fix the error: “Kubernetes 401 Unauthorized”. The best way of talking about Ansible troubleshooting is to jump in a live demo to show you practically the “Kubernetes 401 Unauthorized” and how to solve it! This demo is going to try to create an “example” namespace in a Kubernetes/OpenShift cluster.

Ansible Playbook code

---
- name: k8s demo
  hosts: localhost
  gather_facts: false
  connection: local
  vars:
    myproject: "example"
  tasks:
    - name: create {{ myproject }} namespace
      kubernetes.core.k8s:
        api_version: v1
        kind: Namespace
        name: "{{ myproject }}"
        state: present

error execution

ansible-pilot $ ansible-playbook kubernetes/namespace.yml 
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit
localhost does not match 'all'
PLAY [k8s demo] ***********************************************************************************
TASK [create example namespace] *******************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "error": 401, "msg": "Namespace example: Failed to retrieve requested object: b'{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"Unauthorized\",\"reason\":\"Unauthorized\",\"code\":401}\\n'", "reason": "Unauthorized", "status": 401}
PLAY RECAP ****************************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
ansible-pilot $

troubleshooting

ansible-pilot $ oc get namespace
error: You must be logged in to the server (Unauthorized)
ansible-pilot $ crc status
CRC VM:          Running
OpenShift:       Running (v4.9.15)
Disk Usage:      18.27GB of 32.74GB (Inside the CRC VM)
Cache Usage:     12.79GB
Cache Directory: /Users/lberton/.crc/cache
ansible-pilot $ crc start
WARN A new version (2.0.1) has been published on https://developers.redhat.com/content-gateway/file/pub/openshift-v4/clients/crc/2.0.1/crc-macos-amd64.pkg 
INFO A CodeReady Containers VM for OpenShift 4.9.15 is already running 
Started the OpenShift cluster.
The server is accessible via web console at:
  https://console-openshift-console.apps-crc.testing
Log in as administrator:
  Username: kubeadmin
  Password: WhDvM-c8WiV-zJ8iH-UKhKV
Log in as user:
  Username: developer
  Password: developer
Use the 'oc' command line interface:
  $ eval $(crc oc-env)
  $ oc login -u developer https://api.crc.testing:6443
ansible-pilot $ eval $(crc oc-env)
ansible-pilot $ oc login -u kubeadmin https://api.crc.testing:6443
Logged into "https://api.crc.testing:6443" as "kubeadmin" using existing credentials.
You have access to 66 projects, the list has been suppressed. You can list all projects with 'oc projects'
Using project "example".
ansible-pilot $ oc get namespace | grep example
example                                            Active   63d
ansible-pilot $ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://api.crc.testing:6443
  name: api-crc-testing:6443
contexts:
- context:
    cluster: api-crc-testing:6443
    user: developer/api-crc-testing:6443
  name: /api-crc-testing:6443/developer
- context:
    cluster: api-crc-testing:6443
    namespace: default
    user: kubeadmin
  name: crc-admin
- context:
    cluster: api-crc-testing:6443
    namespace: default
    user: developer
  name: crc-developer
- context:
    cluster: api-crc-testing:6443
    namespace: default
    user: kubeadmin/api-crc-testing:6443
  name: default/api-crc-testing:6443/kubeadmin
- context:
    cluster: api-crc-testing:6443
    namespace: example
    user: developer/api-crc-testing:6443
  name: example/api-crc-testing:6443/developer
- context:
    cluster: api-crc-testing:6443
    namespace: example
    user: kubeadmin/api-crc-testing:6443
  name: example/api-crc-testing:6443/kubeadmin
current-context: example/api-crc-testing:6443/kubeadmin
kind: Config
preferences: {}
users:
- name: developer
  user:
    token: sha256~REDACTED
- name: developer/api-crc-testing:6443
  user:
    token: sha256~REDACTED
- name: kubeadmin
  user:
    token: sha256~REDACTED
- name: kubeadmin/api-crc-testing:6443
  user:
    token: sha256~REDACTED
ansible-pilot $

fix execution

ansible-pilot $ ansible-playbook kubernetes/namespace.yml 
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit
localhost does not match 'all'
PLAY [k8s demo] ***********************************************************************************
TASK [create example namespace] *******************************************************************
ok: [localhost]
PLAY RECAP ****************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
ansible-pilot $

Recap

Now you know better how to troubleshoot the Ansible “Kubernetes/OpenShift 401 Unauthorized” message.

Subscribe to the YouTube channel, Medium, Website, Twitter, and Substack to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 200+ Ansible code

Want to keep this project going? Please donate

Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons
Trustpilot
Follow me

Subscribe not to miss any new releases

FREE Top 10 Best Practices

Top 10 Best Practices of Ansible Automation: save time, reduce errors and stress