我在kubeadm kubernetes集群中创建了一个名为tote的新用户。首先,我创建了一个key:
openssl genrsa -out tote.key 2048然后我创建了一个CSR:
openssl req -new -key tote.key -subj "/CN=tote-admin" -out tote.csr最后,我跟随kubernetes docs in here:
A)我创建证书签名请求清单:
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: tote
spec:
request: XXXXXX (based64 of the generated CSR)
signerName: kubernetes.io/kube-apiserver-client
usages:
- client authB)使用kubectl批准CSR:
kubectl certificate approve toteC)为手提箱用户制作crt证书:
kubectl get csr tote -o jsonpath='{.status.certificate}'| base64 -d > tote.crt最后,当尝试使用apiserver url使用tote user列出pod时,它给了我如下错误:
curl https://172.31.127.100:6443/api/v1/pods --key tote.key --cert tote.crt --cacert /etc/kubernetes/pki/ca.crt答案是:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "pods is forbidden: User \"tote-admin\" cannot list resource \"pods\" in API group \"\" at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403如何解决此问题并允许用户手提包访问pod,有任何帮助吗?
1条答案
按热度按时间9wbgstp71#
1.看起来您的Auth正在工作,但用户没有必要的权限。您需要为您使用的用户创建RBAC权限。参见Using RBAC Authorization
1.并尝试从.kube/config文件中捕获证书。类似于客户端密钥数据:
echo -n“LS0....Cg==”|base64 -d > admin.key
客户端证书数据:
证书颁发机构-数据:
然后使用,
curl https://172.31.127.100:6443 \ --key admin.key \ --cert admin.crt --cacert can.crt