[英]Kubernetes Access metrics server API externally
I am trying to access the metrics server for a k8s cluster without the use of kubectl proxy
.我正在尝试在不使用
kubectl proxy
的情况下访问 k8s 集群的指标服务器。 After finding the tutorial at https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#without-kubectl-proxy , I've run into an issue.在https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#without-kubectl-proxy找到教程后,我遇到了一个问题。
When making the request curl -X GET $APISERVER/apis/metrics.k8s.io/v1beta1/nodes --header "Authorization: Bearer $TOKEN" --insecure | jq
发出请求时
curl -X GET $APISERVER/apis/metrics.k8s.io/v1beta1/nodes --header "Authorization: Bearer $TOKEN" --insecure | jq
curl -X GET $APISERVER/apis/metrics.k8s.io/v1beta1/nodes --header "Authorization: Bearer $TOKEN" --insecure | jq
I get the following permissions error: curl -X GET $APISERVER/apis/metrics.k8s.io/v1beta1/nodes --header "Authorization: Bearer $TOKEN" --insecure | jq
我收到以下权限错误:
curl -X GET $APISERVER/apis/metrics.k8s.io/v1beta1/nodes --header "Authorization: Bearer $TOKEN" --insecure | jq 11:58AM
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 386 100 386 0 0 2064 0 --:--:-- --:--:-- --:--:-- 2064
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "nodes.metrics.k8s.io is forbidden: User \"system:serviceaccount:default:default\" cannot list resource \"nodes\" in API group \"metrics.k8s.io\" at the cluster scope",
"reason": "Forbidden",
"details": {
"group": "metrics.k8s.io",
"kind": "nodes"
},
"code": 403
}
I've tried making a custom ServiceAccount testaccount
with the following ClusterRoleBinding:我尝试使用以下
testaccount
创建自定义 ServiceAccount 测试帐户:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: test-admin
rules:
- apiGroups: [""]
resources: ["pods", "nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: test-rbac
subjects:
- kind: ServiceAccount
name: testaccount
namespace: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
I've tried it with both the included ClusterRole, as well as the cluster-admin
cluster role.我已经尝试使用包含的 ClusterRole 以及
cluster-admin
集群角色。 With the token generated after those changes I still get the same curl error.使用这些更改后生成的令牌,我仍然得到相同的 curl 错误。
I figured out it was the apiGroups
that needed to be modified.我发现需要修改的是
apiGroups
。 The following ClusterRole and ClusterRoleBinding worked:以下 ClusterRole 和 ClusterRoleBinding 有效:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: test-admin
rules:
- apiGroups: ["*"] # This was the change
resources: ["pods", "nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: test-rbac
subjects:
- kind: ServiceAccount
name: testaccount
namespace: default
roleRef:
kind: ClusterRole
name: test-admin
apiGroup: rbac.authorization.k8s.io
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.