[英]Access Kubernetes API with kubectl failed after enabling RBAC
I'm trying to enable RBAC on my cluster and iadded those following line to the kube-apiserver.yml : 我正在尝试在集群上启用RBAC,并将以下几行添加到kube-apiserver.yml中:
- --authorization-mode=RBAC
- --runtime-config=rbac.authorization.k8s.io/v1beta1
- --authorization-rbac-super-user=admin
and i did systemctl restart kubelet ; 而且我没有systemctl重新启动kubelet; the apiserver starts successfully but i'm not able to run kubectl command and i got this error :
apiserver成功启动,但是我无法运行kubectl命令,但出现此错误:
kubectl get po
Error from server (Forbidden): pods is forbidden: User "kubectl" cannot list pods in the namespace "default"
where am I going wrong or i should create some roles to the kubectl user ? 我在哪里出错?还是应该为kubectl用户创建一些角色? if so how that possible
如果是这样,那怎么可能
Error from server (Forbidden): pods is forbidden: User "kubectl" cannot list pods in the namespace "default"
You are using user kubectl
to access cluster by kubectl
utility, but you set --authorization-rbac-super-user=admin
, which means your super-user is admin
. 您正在使用
kubectl
用户通过kubectl
实用程序访问集群,但是您设置了kubectl
--authorization-rbac-super-user=admin
,这意味着您的超级用户是admin
。
To fix the issue, launch kube-apiserver with superuser "kubectl" instead of "admin." 要解决此问题,请使用超级用户“ kubectl”而不是“ admin”启动kube-apiserver。
Just update the value of the option: --authorization-rbac-super-user=kubectl
. 只需更新选项的值:
--authorization-rbac-super-user=kubectl
。
Old question but for google searchers, you can use the insecure port: 旧问题,但对于Google搜索者,您可以使用不安全的端口:
If your API server runs with the insecure port enabled (--insecure-port), you can also make API calls via that port, which does not enforce authentication or authorization.
如果您的API服务器在启用了不安全端口(--insecure-port)的情况下运行,则您也可以通过该端口进行API调用,该端口不会强制执行身份验证或授权。
Source: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping 来源: https : //kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping
So add --insecure-port=8080
to your kube-apiserver options and then restart it. 因此,将
--insecure-port=8080
添加到您的kube-apiserver选项,然后重新启动它。
Then run: 然后运行:
kubectl create clusterrolebinding kubectl-cluster-admin-binding --clusterrole=cluster-admin --user=kubectl
Then turn the insecure-port off. 然后关闭不安全端口。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.