这是一个创建于 1108 天前的主题,其中的信息可能已经有所发展或是发生改变。
开启了一个api-server,如何具有权限访问这个服务
开启api-server
开启的api-server 脚本如下
/root/k8s/kubernetes/server/bin/kube-apiserver \ --log-dir=/root/k8s/kubernetes/log/kube-apiserver \ --log-file=/root/k8s/kubernetes/log/kube-apiserver/log.log \ --logtostderr=true \ --allow-privileged=true \ --bind-address=0.0.0.0 \ --secure-port=6443 \ --advertise-address=192.168.123.78 \ --service-cluster-ip-range=10.96.0.0/12 \ --service-node-port-range=30000-32767 \ --etcd-servers=https://192.168.123.78:2379,https://192.168.123.79:2379,https://192.168.123.80:2379 \ --etcd-cafile=/root/certs/ca.pem \ --etcd-certfile=/root/certs/etcd.pem \ --etcd-keyfile=/root/certs/etcd-key.pem \ --tls-cert-file=/root/certs/api-server.pem \ --tls-private-key-file=/root/certs/api-server-key.pem \ --client-ca-file=/root/certs/ca.pem \ --kubelet-client-certificate=/root/certs/client.pem \ --kubelet-client-key=/root/certs/client-key.pem \ --service-account-key-file=/root/certs/api-server.pem \ --service-account-signing-key-file=/root/certs/api-server-key.pem \ --service-account-issuer=https://kubernetes.default.svc.cluster.local \ --kubelet-preferred-address-types=Hostname,InternalDNS,InternalIP,ExternalDNS,ExternalIP \ --authorization-mode=RBAC,Node \ --enable-bootstrap-token-auth=true \ --requestheader-client-ca-file=/root/certs/ca.pem \ --proxy-client-cert-file=/root/certs/proxy.pem \ --proxy-client-key-file=/root/certs/proxy-key.pem \ --requestheader-allowed-names="" \ --requestheader-group-headers=X-Remote-Group \ --requestheader-extra-headers-prefix=X-Remote-Extra- \ --requestheader-username-headers=X-Remote-User 尝试访问
利用其中的 --kubelet-client-certificate 和 --kubelet-client-key
生成了一个config
/root/k8s/kubernetes/server/bin/kubectl config set-cluster kubernetes --certificate-authority=/root/certs/ca.pem --embed-certs=true --server=https://192.168.123.78:6443 --kubecOnfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig /root/k8s/kubernetes/server/bin/kubectl config set-credentials kubernetes-admin --client-certificate=/root/certs/client.pem --client-key=/root/certs/client-key.pem --embed-certs=true --kubecOnfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig /root/k8s/kubernetes/server/bin/kubectl config set-context kubernetes-admin@kubernetes --cluster=kubernetes --user=kubernetes-admin --kubecOnfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig /root/k8s/kubernetes/server/bin/kubectl config use-context kubernetes-admin@kubernetes --kubecOnfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig 然后当我用admin.kubeconfig进行访问的时候,出现了 403 的问题 ./kubectl get cs --kubecOnfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig -v=9
<<<<<
Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/api\"","reason":"Forbidden","details":{},"code":403} I1002 21:44:12.604038 227095 round_trippers.go:466] curl -v -XGET -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.25.2 (linux/amd64) kubernetes/5835544" 'https://192.168.123.78:6443/apis?timeout=32s' 有大佬知道是什么原因吗, 或者说一个新开的 API-SERVER 的所谓的管理员账号密码是在哪里= =,如何访问api-server呢
3 条回复 2022-10-08 16:25:23 +08:00
 | 1 aqua02 OP 解决了 如果通过证书访问的话 证书的 CN 一定要携带 system:xxx 之类的 恕我直言。真恶心 |
 | 2 plko345 2022-10-03 21:18:28 +08:00 via Android 文档里 best practice 里写的很清楚了,说恶心不合适吧 |
Select Language