kubernetes pod是禁止的:用户tote-admin无法在集群范围内列出API组中的资源Pod

mkh04yzy  于 2023-06-05  发布在  Kubernetes
关注(0)|答案(1)|浏览(184)

我在kubeadm kubernetes集群中创建了一个名为tote的新用户。首先,我创建了一个key:

openssl genrsa -out tote.key 2048

然后我创建了一个CSR:

openssl req -new -key tote.key -subj "/CN=tote-admin" -out tote.csr

最后,我跟随kubernetes docs in here
A)我创建证书签名请求清单:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: tote
spec:
  request: XXXXXX (based64 of the generated CSR)
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth

B)使用kubectl批准CSR:

kubectl certificate approve tote

C)为手提箱用户制作crt证书:

kubectl get csr tote -o jsonpath='{.status.certificate}'| base64 -d > tote.crt

最后,当尝试使用apiserver url使用tote user列出pod时,它给了我如下错误:

curl https://172.31.127.100:6443/api/v1/pods --key tote.key --cert tote.crt --cacert /etc/kubernetes/pki/ca.crt

答案是:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "pods is forbidden: User \"tote-admin\" cannot list resource \"pods\" in API group \"\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403

如何解决此问题并允许用户手提包访问pod,有任何帮助吗?

9wbgstp7

9wbgstp71#

1.看起来您的Auth正在工作,但用户没有必要的权限。您需要为您使用的用户创建RBAC权限。参见Using RBAC Authorization
1.并尝试从.kube/config文件中捕获证书。类似于客户端密钥数据:
echo -n“LS0....Cg==”|base64 -d > admin.key
客户端证书数据:

echo -n "LS0...C==" | base64 -d > admin.crt

证书颁发机构-数据:

echo -n "LS0...g==" | base64 -d >ca.crt

然后使用,curl https://172.31.127.100:6443 \ --key admin.key \ --cert admin.crt --cacert can.crt

相关问题