启用RBAC后，使用kubectl访问Kubernetes API失败

Question

I'm trying to enable RBAC on my cluster and iadded those following line to the kube-apiserver.yml :

- --authorization-mode=RBAC
- --runtime-config=rbac.authorization.k8s.io/v1beta1
- --authorization-rbac-super-user=admin

and i did systemctl restart kubelet ; the apiserver starts successfully but i'm not able to run kubectl command and i got this error :

kubectl get po 
Error from server (Forbidden): pods is forbidden: User "kubectl" cannot list pods in the namespace "default"

where am I going wrong or i should create some roles to the kubectl user ? if so how that possible

Answer 1

 Error from server (Forbidden): pods is forbidden: User "kubectl" cannot list pods in the namespace "default" 

You are using user kubectl to access cluster by kubectl utility, but you set --authorization-rbac-super-user=admin , which means your super-user is admin .

To fix the issue, launch kube-apiserver with superuser "kubectl" instead of "admin."

Just update the value of the option: --authorization-rbac-super-user=kubectl .

Answer 2

Old question but for google searchers, you can use the insecure port:

If your API server runs with the insecure port enabled (--insecure-port), you can also make API calls via that port, which does not enforce authentication or authorization.

Source: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping

So add --insecure-port=8080 to your kube-apiserver options and then restart it.

Then run:

kubectl create clusterrolebinding kubectl-cluster-admin-binding --clusterrole=cluster-admin --user=kubectl

Then turn the insecure-port off.